AsyncSSH before 2.14.1 Rogue Session Attack (PIP package)

Created:2024/02/26 | Revised:2024/02/26


Severity:A level of a security risk associated with a vulnerability exploitation
CVSS:Indication of a severity level of each CVE
Countermeasure:Availability of measures to reduce a probability of an attack or an impact of a threat
Public Aware:Availability of a public announcement of a vulnerability
Weaponized:Vulnerability being abused by exploit or malware


AsyncSSH before 2.14.1 is prone to Rogue Session Attacks.


AsyncSSH, a popular asynchronous SSH library for Python, has been found to contain several vulnerabilities in versions released before 2.14.1. These vulnerabilities expose users to significant risks, including unauthorized control over SSH connections and potential manipulation of extension info messages. Attackers could exploit these vulnerabilities to execute 'Rogue Extension Negotiation' attacks and 'Rogue Session Attacks' compromising the security and integrity of SSH communications.


An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a 'Rogue Extension Negotiation'.


An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a 'Rogue Session Attack'.


These vulnerabilities could allow attackers to gain unauthorized access, manipulate SSH connections, and compromise the confidentiality, integrity, and availability of sensitive information and systems.

Successful exploitation of these vulnerabilities could lead to unauthorized data access, remote code execution, or complete system compromise, posing significant risks to affected organizations and users.


Users are strongly advised to upgrade their installations of AsyncSSH to version 2.14.1 or later.

The latest release is available at:

Asynchronous SSH for Python

©2024 by Syxsense Inc. All Rights Reserved

Contact Us
Patch Management
Vulnerability Scanner