Directory Traversal Vulnerability in AsyncSSH Client by Ron Fitch
CVE-2026-54591

8.1HIGH

Key Information:

Vendor

Ronf

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54591?

AsyncSSH, a Python package offering asynchronous SSHv2 client and server capabilities, contains a directory traversal vulnerability prior to version 2.23.1. Malicious SSH servers can exploit this flaw by sending specially crafted filenames with '../' traversal sequences, which allows them to overwrite arbitrary files on the AsyncSSH SCP client's filesystem. The vulnerability arises because the _parse_cd_args function in scp.py returns server-provided names without validation and joins them to a target path, breaching the security of the directory boundary. This critical issue has been resolved in version 2.23.1 of AsyncSSH.

Affected Version(s)

asyncssh < 2.23.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.