2426410 – (CVE-2025-15224) CVE-2025-15224 curl: libssh key passphrase bypass without agent set

Bug 2426410 (CVE-2025-15224) - CVE-2025-15224 curl: libssh key passphrase bypass without agent set

Summary: CVE-2025-15224 curl: libssh key passphrase bypass without agent set

Keywords:
Status:	NEW
Alias:	CVE-2025-15224
Deadline:	2026-01-07
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-31 04:09 UTC by OSIDB Bzimport
Modified:	2026-06-02 08:28 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-31 04:09:25 UTC

This flaw only exists when libcurl is built to use the libssh backend, not the
libssh2 based one. This problem happened because libssh has a somewhat
surprising API choice where they fall back to agent authentication.

It should be noted that the authentication still only succeeds if the local
SSH agent actually has the correct passphrase.

Note You need to log in before you can comment on or make changes to this bug.

crizzo
csutherl
dbosanac
gtanzill
jbuscemi
jcantril
jclere
jmitchel
jreimann
kshier
mdessi
mrizzi
pbohmill
pcattana
pjindal
plodge
rojacob
sdawley
security-response-team
stcannon
szappis
teagle
vchlup
yguenane