wolfSSL/wolfssh

📦 Vulnerabilities

• [Low] CVE-2026-0930. Potential read out of bounds case with wolfSSHd on
• Windows while handling a terminal resize request. An authenticated user could
• trigger the out of bounds read after establishing a connection which would
• leak the adjacent stack memory to the pseudo-console output. Thanks to Luigino
• Camastra and Pavel Kohout for the report. Fixed in PR 864

✨ New Features

• Added ML-KEM hybrid KEX algorithms `mlkem1024nistp384-sha384` and
• `mlkem768x25519-sha256` from draft-ietf-sshm-mlkem-hybrid-kex, with KEX tests
• driven by name and a GitHub action testing interop against OpenSSH. (PR 869)
• Allowed building wolfSSH against a wolfSSL FIPS build that has HashDRBG
• disabled. (PR 833)
• Added `lcd` and `lls` commands to the SFTP example client for changing and
• listing the local working directory within a session. (PR 909)
• Added a public accessor function for retrieving a channel's type. (PR 873)
• + 15 more

📦 Improvements

• Replaced `WMEMCMP` in `CheckAuthKeysLine` with a constant-time comparison
• to avoid leaking authorized-key material through timing. (PR 915)
• Switched SFTP `RecvOpen` to use the same `GetAndCleanPath()` helper that
• the other SFTP handlers use. (PR 867)
• Hardened `wolfSSH_CleanPath` used by SCP. (PR 865)
• Reworked `wolfSSH_SFTP_RecvOpen` to allocate the response buffer outside
• the success path and added a centralized cleanup phase so failure cases
• send a proper SFTP status packet. (PR 905)
• + 47 more

🐛 Fixes

• Fixed an SFTP server hang on `WS_WANT_WRITE` with non-blocking sockets:
• `wolfSSH_SFTP_buffer_send()` now flushes any pending output buffered from
• a previous `WS_WANT_WRITE` before queuing more data. (PR 876)
• Fixed a Coverity untrusted-divisor finding by reworking `ato32()` to mask
• and shift defensively. (PR 870, CID 572837)
• Simplified and fixed `AddAssign64` when `WOLFSSL_MAX_32BIT` is not
• defined. (PR 894)
• Added bounds checks in the FatFS-backed `ff_close`, `ff_pwrite`, and
• + 47 more

📦 Vulnerabilities

• [Critical] CVE-2025-14942. wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report. (PR 855)
• [Medium] CVE-2025-15382. The function used to clean up a path string may read one byte off the end of the bounds of the string. The function is used by the SCP handling in wolfSSH. This affects server applications with wolfSSH versions 1.4.12 through 1.4.21, inclusive. Thanks to Luigino Camastra from Aisle Research for the report. (PR 859)

✨ New Features

• Added a complete SFTP client example for the Renesas RX72N platform. (PR 847)
• Enabled TSIP support and provided cleaned-up configuration headers for the RX72N example. (PR 847)
• Added FIPS-enabled build configurations to the Visual Studio project files. (PR 851)
• Added documentation describing how to build and use the new FIPS Visual Studio configurations. (PR 851)
• Introduced regression tests covering SSH agent signing, including error paths and successful operation. (PR 856)
• Added regression tests that explicitly exercise WANT_READ / WANT_WRITE paths to guard against deadlocks. (PR 856)

📦 Improvements

• Refactored SSH string parsing by unifying GetString() and GetStringAlloc() around GetStringRef(), simplifying maintenance and reducing duplication. (PR 857)
• Enhanced SSH message-order validation by introducing explicit expected-message tracking and clearer message ID range macros. (PR 855)
• Improved server-side out-of-order message checking to align behavior with the stricter client implementation. (PR 855)
• Improved worker thread behavior under window backpressure by prioritizing receive handling, preventing stalls with small-window SFTP clients. (PR 856)
• Hardened SSH agent handling logic by validating response types, tracking message IDs, and enforcing strict buffer size limits. (PR 845)
• Improved SCP path handling by canonicalizing client-supplied base paths before filesystem access. (PR 845)
• Improved portability by replacing non-standard <sys/errno.h> includes with standard <errno.h>. (PR 852)
• Reduced logging overhead by defining WLOG as a no-op when debugging is disabled. (PR 839)
• + 1 more

🐛 Fixes

• Fix off-by-1 read error when cleaning the file path for SCP. (PR 859)
• Fixed incorrect handling of zero-length SSH strings in packet parsing. (PR 857)
• Fixed a worker-thread deadlock caused by blocked sends preventing window-adjust processing. (PR 856)
• Fixed a double-free crash and eliminated a socket-close spin loop under error conditions. (PR 855)
• Fixed uninitialized authentication data that could lead to undefined behavior during authentication. (PR 854)
• Fixed SFTP connection interoperability issues discovered through cross-implementation testing. SFTP fix for init to handle channel data which resolves a potential interoperability SFTP connection issue. (PR 846)
• Fixed SCP receive handling to reject traversal filenames containing path separators or “dot” components. (PR 845)
• Fixed missing declaration of wc_SSH_KDF that caused build failures under strict compiler warnings. (PR 848)
• + 2 more

📦 Vulnerabilities

• [Critical] CVE-2025-11625 The client's host verification can be bypassed by a malicious server, and client credentials leaked. This affects client applications with wolfSSH version 1.4.20 and earlier. Users of wolfSSH on the client side must update or apply the fix patch and it’s recommended to update credentials used. Fixed in PR (https://github.com/wolfSSL/wolfssh/pull/840)
• [Med] CVE-2025-11624 Potential for stack overflow write when reading the file handle provided by an SFTP client. After a SFTP connection was established there is the case where a SFTP client could craft a malicious read, write or set state SFTP packet which would cause the SFTP server code to write into stack. Thanks to Stanislav Fort of Aisle Research for the report. Fixed in PR (https://github.com/wolfSSL/wolfssh/pull/834)

✨ New Features

• Curve25519 interoperability with LibSSH. Update to treat curve25519-sha256@libssh.org as an alias for curve25519-sha256 (PR 789)
• Microchip example for ATSAMV71Q21B and harmony filesystem support (PR 790)
• Make Keyboard Interactive a compile time option, enabled using --enable-keyboard-interactive. Off by default. (PR 800)
• wolfSSH support for using TPM based key for authentication (PR 754)
• By default, soft disable AES-CBC. It isn't offered as a default encrypt algorithm, but may be set at runtime (PR 804)
• Add ED25519 key generation support. (PR 823)

📦 Improvements

• Add GitHub Action for testing wolfSSH server with Paramiko SFTP client (PR 788)
• Additional sanity checks on message types during rekey (PR 793)
• FATFS improvements, test and Linux example (PR 787)
• Adjust behavior when getting WOLFSSH_USERAUTH_REJECTED return from callback. It now will reject and not continue on with user auth attempts. (PR 837)
• Rename arguments and variables to idx instead of index to avoid shadowed variables. (PR 828)
• Move user filesystem override to the top of the ports check so that the override also overrides enabled ports. (PR 805)
• Remove keyboard auth callback and use a generic auth callback (PR 807)
• Update Espressif examples and add getting started info to Espressif README (PR 810, 771)
• + 7 more

🐛 Fixes

• Fix SFTP data truncation by moving sentSzSave to state structure(PR 785)
• Fix SFTP Symlink Indication. (PR 791)
• Fix warning on FATFS builds (PR 796)
• Keyboard Interactive bug fixes (PR 801, 802)
• Fix double-free on `wolfSSH_SFTPNAME_readdir` (PR 806)
• Adjust the highwater check location to avoid masking the return value. (PR 795)
• DoAsn1Key now fails when WOLFSSH_NO_RSA is defined (PR 808)
• Avoid potential for overflow/underflow in comparison by rearranging evaluation of unsigned condition. (PR 814)
• + 7 more

✨ New Features

• Added DH Group 16 and HMAC-SHA2-512 support (PR 768)
• Added RFC-4256 keyboard-interactive authentication support (PR 763)

🐛 Enhancements and Fixes

• Enhancement to pass dynamic memory heap hint to init RNG call (PR 749)
• Update SCP example to properly free memory upon failure (PR 750)
• Address memory management during socket timeouts in wolfSSHd (PR 752)
• Modify wolfSSHd to terminate child processes following SSH connection failures
• (PR 753)
• Fix for wolfSSHd handling of pipes with forced commands (PR 776)
• Resolve SFTP compilation issues with WOLFSSH_FATFS (PR 756)
• Refactor and simplify autogen script (PR 758)
• + 4 more

✨ New Features

• Add DH Group 14 with SHA256 KEX support (PR 731)

📦 Improvements

• Use of the new SSH-KDF function in wolfCrypt (PR 729)
• Adds macro guards to the non-POSIX value checks and updates with TTY modes (PR 739)
• Add CI test against master and last two wolfSSL releases (PR 746)
• Show version of wolfSSL linked to when application help messages are printed out (PR 741)
• Purge OQS from wolfSSH and instead use Kyber implementation from wolfssl (PR 736)
• Adjust Espressif wolfssl_echoserver example timehelper (PR 730)

🐛 Fixes

• Remove Inline for function HashForId() to resolve clash with WOLFSSH_LOCAL declaration (PR 738)
• Fix for wolfSSHd’s handling of re-key and window full when processing a command with lots of stdout text (PR 719)
• Fix for wolfSSH client app to gracefully clean up on failure and added more WLOG debug messages (PR 732)
• Minor static analysis report fixes (PR 740, 735)
• Fix for handling SFTP transfer to non-existent folder (PR 743)

✨ New Features

• Add wolfSSL style static memory pool allocation support.
• Add Ed25519 public key support.
• Add Banner option to wolfSSHd configuration.
• Add non-blocking socket support to the example SCP client.

📦 Improvements

• Documentation updates.
• Update the Zephyr test action.
• Add a no-filesystem build to the Zephyr port.
• Update the macOS test action.
• Refactor certificate processing. Only verify certificates when a signature is present.
• Update the Kyber test action.
• Refactor the Curve25519 Key Agreement support.
• Update the STM32Cube Pack.
• + 13 more

🐛 Fixes

• Refactor wolfSSHd service support for Windows to fix PowerShell Write-Progress.
• Fix partial success case with public key user authentication.
• Fix the build guards with respect to cannedKeyAlgoNames.
• Error if unable to open the local file when doing a SCP send.
• Fix some IPv6 related build issues.
• Add better checks for SCP error returns for closed channels.
• In the example SCP client, move the public key check context after the WOLFSSH object is created.
• Fix error reporting for wolfSSH_SFTP_STAT.
• + 9 more

📋 Changes

• Fixes a vulnerability where a properly crafted SSH client can bypass user
• When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake,
• The example server in directory examples/server/server.c has been removed.
• Added functions to set algorithms lists for KEX at run-time, and some
• In v1.4.15, we had disabled SHA-1 in the build by default. SHA-1 has been
• Add Curve25519 KEX support for server/client key agreement.
• Clean up some issues when building for Nucleus.
• Clean up some issues when building for Windows.
• + 12 more

📋 Changes

• Fixes a potential vulnerability described in the paper "Passive SSH Key Compromise via Lattices". While the misbehavior described hasn't been observed in wolfSSH, the fix is now implemented. The RSA signature is verified before sending to the peer.
• Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023. Passive SSH Key Compromise via Lattices. Cryptology ePrint Archive, Report 2023/1711. https://eprint.iacr.org/2023/1711.
• When building wolfSSL/wolfCrypt versions before v5.6.6 with CMake, wolfSSH may have a problem with RSA keys. This is due to wolfSSH not checking on the size of `___uint128_t`. wolfSSH sees the RSA structure as the wrong size. You will have to define `HAVE___UINT128_T` if you know you have it and are using it in wolfSSL. wolfSSL v5.6.6 exports that define in options.h when using CMake.
• Added wolfSSH client application.
• Added support for OpenSSH-style private keys, like those made by ssh-keygen.
• Added support for the Zephyr RTOS.
• Added support for multiple authentication schemes in the userauth callback with the error response `WOLFSSH_USERAUTH_PARTIAL_SUCCESS`.
• Allow override of default sshd user name at build.
• + 27 more

📋 Changes

• Improvement to forking the wolfSSHd daemon.
• Added an STM32Cube Expansion pack. See the file _ide/STM32CUBE/README.md_ for more information. (https://www.wolfssl.com/files/ide/I-CUBE-wolfSSH.pack)
• Improved test coverage for wolfSSHd.
• X.509 style private key support.
• Fixed shadow password checking in wolfSSHd.
• Building cleanups: warnings, types, 32-bit.
• SFTP fixes for large files.
• Testing and fixes with SFTP and LwIP.
• + 1 more

✨ New Feature Additions and Improvements

• Support for Green Hills Software's INTEGRITY
• wolfSSHd Release (https://github.com/wolfSSL/wolfssh/pull/453 rounds off testing and additions)
• Support for RFC 6187, using X.509 Certificates as public keys
• OCSP and CRL checking for X.509 Certificates (uses wolfSSL CertManager)
• Add callback to the server for reporting userauth result
• FPKI profile checking support
• chroot jailing for SFTP in wolfSSHd
• Permission level changes in wolfSSHd
• + 4 more

🐛 Fixes

• Fixes for compiler complaints using GHS compiler
• Fixes for compiler complaints using GCC 4.0.2
• Fixes for the directory path cleanup function for SFTP
• Fixes for SFTP directory listing when on Windows
• Fixes for large file transfers with SFTP
• Fixes for port forwarding
• Fix for building with QNX
• Fix for the wolfSSHd grace time alarm
• + 2 more

📦 Vulnerabilities

• The vulnerability fixed in wolfSSH v1.4.8 finally issued CVE-2022-32073

✨ New Feature Additions and Improvements

• Alpha version of SSHD implementation (--enable-sshd)
• ECDSA key generation wrapper
• Espressif port and component install
• Improvements to detection of ECC RNG requirement

🐛 Fixes

• Handle receiving extended data type with SCP connections
• Multiple non blocking fixes in SSH and SFTP use cases
• Fix for handling '.' character in file name with SFTP
• Windows build fix for SFTP with log timestamps enabled
• Fix to handle listing large directories with SFTP LS function
• Fix for checking path length when cleaning it (SFTP/SCP)

✨ New Feature Additions and Improvements

• Additional small stack optimizations to reduce stack used farther
• Update to Visual Studio paths for looking for wolfSSL library
• SFTP example, reset timeout value with get/put command
• Add support for flushing file IO using WOLFSCP_FLUSH
• Add preprocessor guards for RSA/ECC to agent and the example and test applications
• Initialization of variables to avoid warnings and use with ESP-IDF

🐛 Fixes

• When scp receives a string in STDERR, print it out, rather than treating it as an error
• Window adjustment refactor and fix
• fix check on RSA import size
• Fix for building with older GCC versions (tested with 4.0.2)
• SFTP fix handling sent data sz when its size is greater than peer max packet size
• SFTP add error return code for a bad header when sending a packet
• KCAPI build fixes for macro guards needed
• SCP fix for handling small and empty message sizes
• + 4 more

✨ New Feature Additions and Improvements

• Add remote port forwarding
• Make loading user created keys into the examples easier
• Add --with-wolfssl and use --prefix to look for wolfSSL
• Updated the unsupported GlobalReq response

🐛 Fixes

• Fix for RSA public key auth
• When decoding SFTP messages, fix the size checks so they don't wrap
• Fix an issue where the testsuite and echoserver a socket failure
• SFTP fix for getting attribute header
• Fix for possible null dereference in SendKexDhReply
• Remove reference to udp from test.h
• Fixes to local port forwarding

✨ New Feature Additions and Improvements

• SCP improvements to run on embedded RTOS
• For SFTP messages, check both minimum bound and maximum bound of the length value
• Added option for --enable-small-stack
• Added SFTP support for FatFs
• Added 192 and 256 bit support for AES-CBC, AES-CTR, and AES-GCM
• Added options to disable algorithms. (ie WOLFSSH_NO_ECDSA, WOLFSSH_NO_AES_CBC, etc)
• Improved handling of builds without ECC

🐛 Fixes

• When processing public key user auth, initialize the key earlier
• When processing public key user auth, use GetSize() instead of GetUint32()
• Fix for better handling rekey
• Fix for build with NO_WOLFSSH_CLIENT macro and --enable-all
• Fix configuration with WOLFSSH_NO_DH
• To add internal function to purge a packet in case building one fails
• Fix for cleanup in error case with SFTP read packet
• Fix initialization of DH Size values

✨ New Feature Additions

• Added optional builds for not using RSA or ECC making the build more modular for resource constrained situations.
• MQX IDE build added
• Command line option added for Agent use with the example client

🐛 Fixes

• Increase the ID list size for interop with some OpenSSH servers
• In the case of a network error add a close to any open files with SFTP connection
• Fix for potential memory leak with agent and a case with wolfSHS_SFTP_GetHandle
• Fuzzing fix for potential out of bounds read in the public key user auth messages
• MQX build fixes
• Sanity check that agent was set before setting the agent’s channel
• Fuzzing fix for bounds checking with DoKexDhReply internal function
• Fuzzing fix for clean up of base path with SCP use
• + 3 more

📦 Improvements and Optimizations

• Example timeout added to SFTP example
• Update wolfSSH_ReadKey_buffer() to handle P-384 and P-521 when reading a key from a buffer
• Use internal version of strdup
• Use strncmp instead of memcmp for comparing session string type

✨ New Feature Additions

• Added SSH-AGENT support to the echoserver and client
• For testing purposes, add ability to have named users with authentication
• type of "none"
• Added support for building for EWARM
• Echoserver can now spawn a shell and set up a pty with it
• Added example to the SCP callback for file transfers without a filesystem

🐛 Fixes

• Fixes for clean connection shutdown in the example.
• Fixes for some issues with DH KEX discovered with fuzz testing
• Fix for an OOB read around the RSA signature
• Fix for building with wolfSSL v4.5.0 with respect to `wc_ecc_set_rng()`;
• configure will detect the function's presence and work around it absence;
• see note in internal.c regarding the flag `HAVE_WC_ECC_SET_RNG` if not
• using configure

📦 Improvements and Optimizations

• Improved interoperability with winSCP
• Improved interoperability with Dropbear
• Example client can now authenticate with public keys

✨ New Feature Additions

• Added wolfSCP client example
• Added support for building for VxWorks

🐛 Fixes

• Fixes for some buffer issues discovered with fuzz testing
• Fixes for some SCP directory issues in Nucleus
• Fixed an issue where a buffer size went negative, cosmetic
• Fixed bug in ECDSA when using alt-ecc-size in wolfCrypt
• Fixed bug with AES-CTR and FIPSv2 build
• Fixed bug when using single precision
• Fix for SCP rename action

📦 Improvements and Optimizations

• Improved interoperability with FireZilla
• Example tool option clarification
• Better SFTP support in 32-bit environments
• SFTP and SCP aren't dependent on ioctl() anymore
• Add password rejection count
• Public key vs password authentication chosen by user auth callback
• MQX maintenance

📦 wolfSSH v1.4.3 (10/31/2019)

• wolfSFTP port to MQX 4.2 (MQX/MFS/RTCS)
• Maintenance and bug fixes
• Improvements and additions to the test cases
• Fix some portablility between C compilers
• Fixed an issue in the echoserver example where it would error sometimes
• on shutdown
• Improvement to the global request processing
• Fixed bug in the new keys message handler where it reported the wrong size
• + 7 more

📦 wolfSSH v1.4.2 (08/06/2019)

• GCC 8 build warning fixes
• Fix for warning with enums used with SFTP and set socket type
• Added example server with Renesas CS+ port
• Fix for initializing UserAuthData to all zeros before use
• Fix for SFTP “LS” operation when setting the default window size to 2048
• Add structure size print out option -z to example client when the macro
• WOLFSSH_SHOW_SIZES is defined
• Additional automated tests of wolfSSH_CTX_UsePrivateKey_buffer and fix for
• + 9 more

📦 wolfSSH v1.4.0 (04/30/2019)

• SFTP support for time attributes
• TCP port forwarding feature added (--enable-fwd)
• Example tcp port forwarding added to /examples/portfwd/portfwd
• Fixes to SCP, including default direction set
• Fix to match ID during KEX init
• Add check for window adjustment packets when sending large transfers
• Fixes and maintenance to Nucleus port for file closing
• Add enable all option (--enable-all)
• + 18 more