vulnerability in zrok project

[ankitdn]

While working on zrok project, I identified a vulnerability (CVE-2025-66406) in Step CA’s SSHPOP provisioner. Due to an improper authorization check, an attacker with limited access could revoke SSH certificates without proper permissions, potentially disrupting secure access across systems using these certificates.

CVE Link
CVE Report

[michaelquigley]

This is an indirect dependency for zrok, and zrok in no way uses Step CA's SSHPOP provisioner. We will update the indirect dependency for the next major zrok release.

[michaelquigley]

$ go mod why github.com/smallstep/certificates
go: downloading github.com/tidwall/gjson v1.17.1
go: downloading github.com/tidwall/pretty v1.2.0
# github.com/smallstep/certificates
(main module does not need package github.com/smallstep/certificates)

[michaelquigley]

Will be released in v1.1.11.