CVE-2025-4658: 
Homebrew vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2025-4658) was discovered in OpenPubkey library versions prior to 0.10.0 and OPKSSH versions prior to 0.5.0, disclosed on May 13, 2025, by Cloudflare, Inc. The vulnerability allows attackers to bypass signature verification through specially crafted JSON Web Signatures (JWS) in the authentication process (NVD).

The vulnerability is classified as an Authentication Bypass (CWE-305) and Improper Verification of Cryptographic Signature (CWE-347). It received a CVSS 4.0 Base Score of 9.3 CRITICAL (Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L) and CVSS 3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability exists in the signature verification mechanism of the OpenPubkey library, which is a critical component used by OPKSSH for authentication purposes (NVD, Wiz).

The vulnerability allows attackers to bypass OPKSSH authentication entirely. Since OPKSSH is used for SSH access management with OpenID Connect identities, a successful exploit could lead to unauthorized access to systems using OPKSSH for authentication (NVD, OpenPubkey Github).

Users should upgrade OpenPubkey library to version 0.10.0 or later, and OPKSSH to version 0.5.0 or later to address this vulnerability. These updates include fixes for the signature verification bypass issue (NVD).

Security researchers have highlighted the critical nature of this vulnerability, particularly due to its potential impact on SSH access management systems. The vulnerability has gained significant attention in the cybersecurity community, as evidenced by coverage from major security firms (Daily CyberSecurity).