5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66406

GHSA ID

GHSA-j7c9-79x7-8hpr

EPSS Score

CWE

CWE-285

Published

12/3/2025

Updated

12/3/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66406

CVE-2025-66406: step-ca Has Improper Authorization Check for SSH Certificate Revocation

Summary

A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with the SSHPOP provisioner. All operators running these provisioners should upgrade to the latest release (v0.29.0) immediately.

The issue was discovered and responsibly disclosed by a research team during a security review. There is no evidence of active exploitation.

To limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.

Embargo List

If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.

Acknowledgements

This issue was identified and reported by Gabriel Departout and Andy Russon, from AMOSSYS. This audit was sponsored by ANSSI (French Cybersecurity Agency) based on their Open-Source security audit program.

Stay safe, and thank you for helping us keep the ecosystem secure.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66406

CVE-2025-66406:

5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66406

GHSA ID

GHSA-j7c9-79x7-8hpr

EPSS Score

CWE

CWE-285

Published

12/3/2025

Updated

12/3/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/smallstep/certificates	go	<= 0.28.4	0.29.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an improper authorization check in the SSH certificate revocation process, specifically within the SSHPOP provisioner. The analysis of the security patch (commit 1011f5f5408b470a636f583bf74c0d7bbaf75d72) reveals the root cause and the affected functions.

The primary vulnerable function is github.com/smallstep/certificates/authority/provisioner.(*SSHPOP).AuthorizeSSHRevoke. Before the patch, this function did not correctly validate that the serial number of the SSH certificate being revoked matched the identity (subject) within the authorization token. This allowed a user with rights to get a token to revoke any SSH certificate, not just their own.

The exploitation path starts at the github.com/smallstep/certificates/api.SSHRevoke API endpoint, which receives the revocation request. This endpoint calls into the github.com/smallstep/certificates/authority.(*Authority).Authorize method, which in turn dispatches to the vulnerable (*SSHPOP).AuthorizeSSHRevoke function. After authorization, (*Authority).Revoke is called to complete the revocation.

The patch addresses the vulnerability at two levels:

It corrects the logic in (*SSHPOP).AuthorizeSSHRevoke to strictly compare the token subject with the certificate serial number.
It adds a defense-in-depth check in (*Authority).Revoke to also compare the serial number from the request with the token subject, preventing similar issues in other provisioners and providing an extra layer of security.

Therefore, during an exploit, api.SSHRevoke, authority.Authorize, provisioner.(*SSHPOP).AuthorizeSSHRevoke, and authority.Revoke would all appear in a runtime profile.

Vulnerable functions

github.com/smallstep/certificates/authority/provisioner.(*SSHPOP).AuthorizeSSHRevoke

authority/provisioner/sshpop.go

The vulnerability lies in the `AuthorizeSSHRevoke` function of the `SSHPOP` provisioner. Before the patch, the function performed an improper authorization check. It failed to properly verify that the identity in the revocation token matched the serial number of the SSH certificate being revoked. An attacker could craft a token to revoke an arbitrary SSH certificate. The patch fixes this by strictly comparing the token's subject with the certificate's serial number and returning a `Forbidden` error if they do not match.

github.com/smallstep/certificates/api.SSHRevoke

api/sshRevoke.go

This is the API endpoint that handles SSH certificate revocation requests. It receives the potentially malicious request containing a crafted token and initiates the authorization and revocation process by calling `authority.Authorize` and `authority.Revoke`. This function would be the entry point for an exploit and would appear in runtime profiles.

github.com/smallstep/certificates/authority.(*Authority).Revoke

authority/tls.go

This function in the authority orchestrates the certificate revocation process. It was modified to add a defense-in-depth check, ensuring that the serial number provided in the revocation request matches the subject of the authorization token. The absence of this check in the vulnerable version contributed to the improper authorization vulnerability, as it relied solely on the provisioner's authorization logic.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66406: step-ca Has Improper Authorization Check for SSH Certificate Revocation

Summary

Embargo List

Acknowledgements

CVE-2025-66406:

5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5

5

Technical Details

Basic Information

Basic Information

CVE-2025-66406: step-ca Has Improper Authorization Check for SSH Certificate Revocation

Summary

Embargo List

Acknowledgements

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI