CVE-2025-70034

[giobmoro]

My project is currently affected by CVE-2025-70034 when using ssh2 version 1.17.0.

Could you confirm whether this vulnerability impacts this version? If so, are there any plans to release a fix or patch?

[mscdex]

Your guess is as good as mine. Nobody has contacted me with any details so 🤷‍♂️

[daveokeeffe]

CVE-2025-70034 showed up in a Blackduck scan run on a repo that depends on theophilusx/ssh2-sftp-client, which in turn depends on mscdex/ssh2.

A yarn audit on the same repo doesn't raise any warnings for me, which is confusing.

This CVE details site
https://www.cvedetails.com/cve/CVE-2025-70034/

This report includes a link to a (very unhelpful) gist...

https://gist.github.com/zcxlighthouse/78a0d9b7fcae20294076e8b24f763ce5

And that gist was posted by someone who logged a (very unhelpful) ticket back in December:

#1474

[mscdex]

Unless whoever created the CVE can privately send me more details there's not much that can be done I'm afraid.

Add this one to the many reasons why blindly looking at the existence of CVEs is not the way to go.