CVE-2018-3737
Denial of Service vulnerability in sshpk (npm)
What is CVE-2018-3737 About?
This vulnerability is a regular expression denial of service (ReDoS) in `sshpk` versions before 1.13.2 or 1.14.1. It allows an attacker to cause a denial of service by providing a specially crafted invalid public key. Exploitation is relatively easy as it only requires supplying malformed input.
Affected Software
Technical Details
The sshpk library, used for parsing SSH public keys, contains a regular expression that is susceptible to catastrophic backtracking. When the library attempts to parse a specially crafted, invalid public key containing specific patterns, the regular expression engine enters an inefficient state, consuming excessive CPU resources and time. This extended processing time effectively renders the sshpk component, and potentially the entire application utilizing it, unresponsive, leading to a denial of service.
What is the Impact of CVE-2018-3737?
Successful exploitation may allow attackers to cause a denial of service, making the affected system or application unavailable to legitimate users.
What is the Exploitability of CVE-2018-3737?
Exploitation of this ReDoS vulnerability is generally low complexity, requiring only the ability to submit a crafted invalid public key to an application using the vulnerable sshpk library. No authentication or specific privileges are needed, as the attack occurs during the parsing of input data. The attack is remote, as it targets a service that processes public keys. The primary risk factor is the public availability of services that accept and parse SSH public keys without adequate input validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-3737?
About the Fix from Resolved Security
This patch tightens the regular expressions used to parse SSH public keys, enforcing stricter separation between key data and comments to prevent comment injection or manipulation. By doing so, it fixes CVE-2018-3737, which allowed an attacker to craft malicious keys where comments were interpreted as part of the key, potentially bypassing key-based authentication controls.
Available Upgrade Options
- sshpk
- <1.13.2 → Upgrade to 1.13.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/606
- https://github.com/advisories/GHSA-2m39-62fm-q8r3
- https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
- https://hackerone.com/reports/319593
- https://nvd.nist.gov/vuln/detail/CVE-2018-3737
- https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.js#L17
- https://hackerone.com/reports/319593
- https://osv.dev/vulnerability/GHSA-2m39-62fm-q8r3
What are Similar Vulnerabilities to CVE-2018-3737?
Similar Vulnerabilities: CVE-2019-8331 , CVE-2020-28475 , CVE-2021-23425 , CVE-2022-24999 , CVE-2023-28155
