CVE-2025-70034
Published: 09 March 2026
Summary
CVE-2025-70034 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Mscdex Ssh2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-70034 is a vulnerability classified under CWE-1333 (Inefficient Regular Expression Complexity, also known as ReDoS) affecting version 1.17.0 of the mscdex ssh2 library. Published on 2026-03-09, it carries a CVSS v3.1 base score of 7.5 (High), reflecting its potential for significant impact despite no effects on confidentiality or integrity.
The vulnerability enables remote, unauthenticated attackers to exploit it over the network with low attack complexity and no user interaction required. Successful exploitation results in high-impact denial of service, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), potentially causing resource exhaustion through malicious inputs that trigger excessive computation in regular expression processing.
References include a GitHub Gist at https://gist.github.com/zcxlighthouse/78a0d9b7fcae20294076e8b24f763ce5 detailing the issue, along with the mscdex organization page (https://github.com/mscdex) and the ssh2 repository (https://github.com/mscdex/ssh2), which security practitioners should review for any advisories, patches, or mitigation guidance specific to affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208436
Vulnerability details
An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in mscdex ssh2 v1.17.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS enables remote resource exhaustion DoS via crafted input to vulnerable SSH library regex processing, directly mapping to application exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, prioritization, and timely remediation of software flaws like this ReDoS vulnerability in the mscdex ssh2 library to prevent denial-of-service exploitation.
Provides denial-of-service protections, including monitoring for resource exhaustion indicators from inefficient regex processing triggered by malicious network inputs.
Requires validation of information inputs to block malicious patterns that exploit the inefficient regular expression complexity in ssh2 processing.