fix(deps): update rust crate russh to 0.60 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
russh	dependencies	minor	0.57 → 0.60

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

russh has pre-auth DoS via unbounded allocation in its keyboard-interactive auth handler

GHSA-f5v4-2wr6-hqmg

More information

Details

Summary

A pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials.

Vulnerability Details

In russh/src/server/encrypted.rs, the function read_userauth_info_response decodes a u32 count from the client's SSH_MSG_USERAUTH_INFO_RESPONSE and passes it directly to Vec::with_capacity():

let n = map_err!(u32::decode(r))?;

// Bound both allocation and iteration by remaining packet data to
// prevent a malicious client from causing a multi-GB allocation or
// billions of loop iterations with a crafted count.
// Each response needs at least 4 bytes (length prefix).
let max_responses = r.remaining_len().saturating_add(3) / 4;
let n = (n as usize).min(max_responses);
let mut responses = Vec::with_capacity(n);
for _ in 0..n {
    responses.push(Bytes::decode(r).ok())
}

An attacker can send n = 0x10000000 (268M) or larger in a minimal packet (~50 bytes after encryption). The server attempts to allocate n * ~24 bytes (size of Option<Bytes>) = ~6.4GB, causing an OOM crash.

Attack Flow

1. Attacker connects via TCP, completes key exchange (no credentials needed -- this is the anonymous DH handshake, not authentication)
2. Sends USERAUTH_REQUEST with method keyboard-interactive
3. Server handler returns Auth::Partial with prompts (standard for 2FA/TOTP)
4. Attacker sends USERAUTH_INFO_RESPONSE with n = 0x10000000 and no response data
5. Server calls Vec::with_capacity(268_435_456), OOM killed

No authentication is required. The allocation occurs before the handler validates any credentials. The attack is repeatable faster than the server can restart.

Affected Configurations

Any russh-based server where the Handler::auth_keyboard_interactive implementation returns Auth::Partial (i.e., sends prompts to the client). The default handler returns Auth::reject() and is not affected.

Source code review suggests that downstream projects using keyboard-interactive for multi-step auth (e.g., TOTP/2FA) follow the affected pattern, since returning Auth::Partial before credential verification is the intended API usage for prompting.

Confirmed End-to-End PoC

There is a complete Docker-contained PoC confirming the OOM kill:

• Minimal russh server returning Auth::Partial for keyboard-interactive
• Python client (paramiko for key exchange) sends malformed USERAUTH_INFO_RESPONSE
• Container with 512MB memory limit; server is OOM-killed (exit code 137)

Available on request.

Proposed Fix

Cap the Vec::with_capacity allocation to what the remaining packet data can actually contain. Each response requires at least 4 bytes (length prefix), so:

let n = map_err!(u32::decode(r))?;

// Bound both allocation and iteration by remaining packet data to
// prevent a malicious client from causing a multi-GB allocation or
// billions of loop iterations with a crafted count.
// Each response needs at least 4 bytes (length prefix).
let max_responses = r.remaining_len().saturating_add(3) / 4;
let n = (n as usize).min(max_responses);
let mut responses = Vec::with_capacity(n);
for _ in 0..n {
    responses.push(Bytes::decode(r).ok())
}

This bounds the allocation to at most the packet size (~256KB), while preserving the existing behavior for well-formed packets. This fix has been implemented, tested, and contributed via the temporary private fork.

Severity

Pre-auth, remote, no credentials required, crashes the server process affecting all active sessions.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg
• https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1
• https://github.com/Eugeny/russh/releases/tag/v0.60.1
• https://github.com/advisories/GHSA-f5v4-2wr6-hqmg

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

warp-tech/russh (russh)

v0.60.1

Compare Source

Security fixes

GHSA-f5v4-2wr6-hqmg in 6c3c80a

This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition in a russh based server if keyboard-interactive authentication is allowed. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to the process getting killed by the OOM killer.

Fixes

• a9057ed: fixed #​687 - PKCS8 key encryption not working (#​688) (Eugene) #​688

v0.60.0

Compare Source

Changes

• dad8de6: use rand 0.10 (#​673) (Joe Grund) #​673

Fixes

• kex: separate GEX peer request validation from client config (#​684) #​684 (Artem Medvedev)

v0.59.0

Changes

• auth: add certificate-based authentication via SSH agent (#​632) #​632 (wi-adam)
• 6996711: Replace libcrux-ml-kem with RustCrypto ml-kem (#​660) (kpcyrd) #​660

Fixes

• 084dbcf: Replace Deprecated Function Calls to criterion::black_box() (#​683) (Roger Knecht) #​683
• debc93c: Update dev-dependencies (env_logger, clap, termion) (#​671) (kpcyrd) #​671
• 24d7527: Forward ChannelMsg::Close to channel before dropping sender (#​674) (Corey Leavitt) #​674
• bb9cc42: Fix and harden deferred channel EOF/CLOSE replay after rekey (#​670) (Mika Cohen) #​670
• 3047787: Reduce size of ReadSshIdBuffer, add unit tests (#​672) (kpcyrd) #​672
• bcdc9b9: Bump aws-lc-rs to fix RUSTSEC-2026-0044 and RUSTSEC-2026-0048 (#​681) (Roger Knecht) #​681

Misc

• 6270229: Update Rust dependencies (#​676) (Roger Knecht) #​676

v0.58.0

Compare Source

Changes

• eliminate mlock/munlock overhead for non-secret buffers (~21% throughput improvement) (#​653) #​653 (Mika Cohen)

  • Non-sensitive data buffers are no longer wrapped in CryptoVec, reducing the performance overhead. A few public functions that took CryptoVec now take impl Into<Bytes> instead.

• 6f70150: Remove heap allocations from SshId (#​656) (kpcyrd) #​656

  • SshId::Standard() now contains a Cow<'static, str> instead of a String.

• 0f51860: Expose HostConfig fields to external consumers (#​652) (François Bernier) #​652

• e75de5a: Add russh/serde feature to enable serde on russh::keys::PublicKey (#​655) (kpcyrd) #​655

• replace memset with zeroize in resize() method (#​634) #​634 (Eric Rodrigues Pires)

• bump thiserror to latest version (#​651) #​651 (Roger Knecht)

• b7ce487: Remove Home Crate Dependency (#​667) (Roger Knecht) #​667

• bebe8c0: fixed #​658 - make Handle::tcpip_forward and Handle::streamlocal_forward take &self (Eugene)

Fixes

• use remote channel ID in CHANNEL_REQUEST replies (#​662) #​662 (Mota-Link)
• accept full 256k channel packets (#​666) #​666 (Mika Cohen)
• aa43795: Harden Windows memory locking: fix ERROR_WORKING_SET_QUOTA and edge cases (#​661) (Corey Leavitt) #​661

v0.57.1

Compare Source

Fixes

• prevent deadlock when using make_writer for large transfers (#​630) #​630 (wyebin)
• do not send keepalive before authentication (#​642) #​642 (Lyn)
• 46573ed: Fix zlib vs zlib@openssh.com compression timing (#​564) (#​646) (Guilherme Fontes) #​646

Features

• 591ec26: Improve CryptoVec performance (#​627) (Eric Rodrigues Pires) #​627

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.