Man-in-the-middle attack via SSH host key bypass
Summary
When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack. A flaw was found in curl. When a libcurl-based application uses SCP:// or SFTP:// for transfers and employs the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an untrusted server. This occurs if the server's host key type differs from the one stored in the known_hosts file. The callback mechanism fails to enforce the host key restriction, enabling a connection to an untrusted server and risking a man-in-the-middle attack. This is an Important flaw where libcurl-based applications performing SCP or SFTP transfers with the CURLOPT_SSH_KEYFUNCTION callback may silently accept an untrusted server. This occurs when a server presents a host key type that differs from the one recorded in the known_hosts file, bypassing a critical host key verification and enabling potential man-in-the-middle attacks. The vulnerability requires specific application callback usage, not a general curl client default. Red Hat severity: Important — CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-347. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 22 seconds ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.