CVE-2025-54804: 
Rust vulnerability analysis and mitigation

Russh, a Rust SSH client & server library, was found to have a vulnerability (CVE-2025-54804) in versions 0.54.0 and below. The vulnerability was discovered and disclosed on August 4, 2025, affecting the channel window adjust message handling in the SSH protocol. This security issue impacts the library's ability to track free space in the receive buffer of channel communications (GitHub Advisory).

The vulnerability stems from improper handling of the channel window adjust message in the SSH protocol. The implementation incorrectly adds a value from the message to an internal state value without proper overflow checks in both server/encrypted.rs and client/encrypted.rs files. When Rust code is compiled with overflow checks enabled, this can result in an integer overflow, leading to a panic condition. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-190: Integer Overflow or Wraparound (GitHub Advisory, NVD).

The primary impact of this vulnerability is on server deployments. A malicious client can potentially crash the server by triggering the integer overflow condition, resulting in a denial of service. While a malicious server could also crash a client, this impact is considered less critical. The vulnerability affects availability but does not compromise confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in version 0.54.1 of the Russh library. The fix implements proper overflow checking using saturating addition (saturating_add) to prevent integer overflow conditions. Users are advised to upgrade to version 0.54.1 or later. The fix can be found in the patch commit that implements proper bounds checking for the channel window size (GitHub Commit).