All paramiko CVEs — Complete Vulnerability History
paramiko is Python's SSH library. CVEs here are serious because SSH handles authentication and key material. The Terrapin attack (2023) affected virtually all SSH implementations.
PyPI
20M+ weekly downloads
3 CVEs total
1 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-1000805 | 2018 | CRITICAL | Authentication bypass in SSH client | Fixed 2.4.2 |
| CVE-2022-24302 | 2022 | MEDIUM | Race condition in private key file creation | Fixed 2.10.1 |
| CVE-2023-48795 | 2023 | HIGH | Terrapin — SSH prefix truncation attack | Fixed 3.4.0 |
Current safe version: 3.4.0
# Before
"paramiko==2.12.0"
# After
"paramiko==3.4.0"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What is the Terrapin attack?
Terrapin (CVE-2023-48795) is a prefix truncation attack against the SSH protocol's handshake. An attacker in a man-in-the-middle position can silently remove certain extension negotiation messages, downgrading security properties of the connection.
Does CVE-2023-48795 require a MitM position?
Yes — the attacker must be able to intercept and modify traffic between client and server. This limits exploitability in practice, but the vulnerability is worth patching.