Directory Traversal Vulnerability in AsyncSSH Client by Ron Fitch
CVE-2026-54591
8.1HIGH
What is CVE-2026-54591?
AsyncSSH, a Python package offering asynchronous SSHv2 client and server capabilities, contains a directory traversal vulnerability prior to version 2.23.1. Malicious SSH servers can exploit this flaw by sending specially crafted filenames with '../' traversal sequences, which allows them to overwrite arbitrary files on the AsyncSSH SCP client's filesystem. The vulnerability arises because the _parse_cd_args function in scp.py returns server-provided names without validation and joins them to a target path, breaching the security of the directory boundary. This critical issue has been resolved in version 2.23.1 of AsyncSSH.
Affected Version(s)
asyncssh < 2.23.1
