-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tabby-ssh | npm | < 1.0.214 | 1.0.214 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from a missing synchronization point between host key verification and authentication. The commit diff shows the critical fix was adding 'await hostVerifiedPromise' before invoking the auth callback. This indicates the original authHandler in SSHSession (in ssh.ts) did not wait for host verification to complete, allowing credential transmission to proceed prematurely. The CWE-200 mapping confirms this is an exposure of sensitive information during an insecure state.
Ongoing coverage of React2Shell