Version 1.4.21 of wolfSSH is now available! This update includes a critical security fix, improved interoperability, and enhancements for embedded and hardware-backed key use cases.

Security Updates
This release addresses two security issues:

• CVE-2025-11625: Fixed a client-side host verification bypass that could expose credentials. (PR#840)

• CVE-2025-11624: Fixed an SFTP server stack overflow triggered by malformed input. Thanks to Stanislav Fort of Aisle Research for the report

Feature Additions

• TPM key authentication for hardware-based identity protection.

• ED25519 key generation support added to the API.

• Curve25519 alias compatibility with curve25519-sha256@libssh.org for improved interoperability.

• Keyboard-interactive authentication can now be enabled at build time (--enable-keyboard-interactive).

• AES-CBC is now disabled by default, shifting focus toward stronger default cipher suites.

• Added Microchip ATSAMV71Q21B example with harmony filesystem integration.

This version refines FATFS support, enhances user authentication handling, and improves SFTP and rekeying operations. Post quantum hybrid support was also touched up along with numerous Coverity findings, warning cleanups, and minor API consistency fixes.

Users of the wolfSSH client code or SFTP server should upgrade, particularly those relying on host verification.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now