CVE-2025-14282

NameCVE-2025-14282
DescriptionA flaw was found in Dropbear. When running in multi-user mode and authenticating users, the dropbear ssh server does the socket forwardings requested by the remote client as root, only switching to the logged-in user upon spawning a shell or performing some operations like reading the user's files. With the recent ability of also using unix domain sockets as the forwarding destination any user able to log in via ssh can connect to any unix socket with the root's credentials, bypassing both file system restrictions and any SO_PEERCRED / SO_PASSCRED checks performed by the peer.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6086-1
Debian Bugs1123069

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dropbear (PTS)bullseye2020.81-3+deb11u2fixed
bullseye (security)2020.81-3+deb11u3fixed
bookworm2022.83-1+deb12u3fixed
trixie (security), trixie2025.89-1~deb13u1fixed
forky, sid2025.89-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dropbearsourcebullseye(not affected)
dropbearsourcebookworm(not affected)
dropbearsourcetrixie2025.89-1~deb13u1DSA-6086-1
dropbearsource(unstable)2025.89-11123069

Notes

[bookworm] - dropbear <not-affected> (Vulnerable code introduced later)
[bullseye] - dropbear <not-affected> (Vulnerable code introduced later)
https://github.com/mkj/dropbear/pull/391
https://github.com/mkj/dropbear/pull/394
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q4/002390.html
https://github.com/turistu/odds-n-ends/blob/main/CVE-2025-14282.md
Search for package or bug name: Reporting problems