CVE-2025-5449: 
NixOS vulnerability analysis and mitigation

CVE-2025-5449 is a vulnerability discovered in the SFTP server message decoding logic of libssh, affecting versions 0.11.0 and 0.11.1. The vulnerability was reported on June 2, 2025, and publicly disclosed on July 25, 2025. The flaw exists in the sftpdecodechanneldatato_packet() function, where an incorrect packet length check allows an integer overflow when handling large payload sizes on 32-bit systems (NVD, Ubuntu).

The vulnerability is classified as an Integer Overflow (CWE-190) with a CVSS v3.1 base score of 4.3 (Medium). The issue occurs when malicious clients send invalid SFTP packets with payload size field set to value 0x7ffffffc (2GB - 3B). This value incorrectly passes the validity check on 32-bit platforms due to integer overflow in the packet length check. While this doesn't lead to direct memory corruption, the subsequent call to sshbufferadd_data() fails to allocate a buffer larger than 256MB (LibSSH Advisory).

The vulnerability results in a denial of service (DoS) condition when exploited, causing the server process to crash due to failed memory allocation. The impact is limited to SFTP servers running on 32-bit systems and can only be exploited by authenticated users with SFTP access (NVD, Ubuntu).

The vulnerability has been fixed in libssh version 0.11.2. System administrators are advised to upgrade to this version as soon as possible. No workarounds are available for this vulnerability. Ubuntu has released fixes for affected versions, with version 0.11.1-1ubuntu0.1 addressing the issue in Ubuntu 25.04 (plucky) (Ubuntu, LibSSH Advisory).