CVE-2025-4877: 
Wolfi vulnerability analysis and mitigation

CVE-2025-4877 is a vulnerability discovered in the libssh package affecting all versions on 32-bit architectures. The vulnerability was discovered by Ronald Crane and publicly disclosed on June 25, 2025. The issue occurs when a libssh consumer passes an unexpectedly large input buffer to the ssh_get_fingerprint_hash() function, which can lead to an integer overflow in the bin_to_base64() function (LibSSH Advisory).

The vulnerability stems from an integer overflow condition in the bin_to_base64() function located in src/base64.c. When processing large input buffers on 32-bit architectures, this overflow leads to memory under allocation, potentially resulting in out-of-bounds write operations and heap corruption. The issue specifically manifests when the ssh_get_fingerprint_hash() API is misused with unexpectedly large input buffers. The vulnerability has been assigned a CVSS 3.1 base score of 4.5 (Medium) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L (Ubuntu CVE).

The exploitation of this vulnerability could lead to multiple security implications including denial of service through application crashes, potential arbitrary code execution, and possible heap corruption. The impact is particularly significant on 32-bit systems where the integer overflow condition can be triggered (Ubuntu USN).

As a mitigation, the bin_to_base64() function has been modified to reject inputs larger than 256MB, aligning with other input processing functions. The vulnerability has been fixed in multiple Linux distributions with updated package versions. For Ubuntu, fixes are available in versions 0.11.1-1ubuntu0.1 (25.04), 0.10.6-3ubuntu1.1 (24.10), 0.10.6-2ubuntu0.1 (24.04 LTS), and 0.9.6-2ubuntu0.22.04.4 (22.04 LTS). As a workaround, users should ensure that ssh_get_fingerprint_hash() is not used to encode arbitrary buffers larger than 1GB on 32-bit architectures (Ubuntu USN, LibSSH Advisory).