Is russh affected by CVE-2023-28113?

crates.io russh is affected in =0.37.0 <0.37.1.

Is CVE-2023-28113 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

medium

CVE-2023-28113

Q: Is CVE-2023-28113 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

crates.io · russh

Summary

russh may use insecure Diffie-Hellman keys

Severity: medium
EPSS: 0.6% (p45)
Also known as: GHSA-cqvm-j2r2-hwpg
Published: 2023-03-17

References

https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg
https://nvd.nist.gov/vuln/detail/CVE-2023-28113
https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd

Related advisories

CVE-2026-48110 — high · crates.io/russh
CVE-2026-46702 — high · crates.io/russh
CVE-2026-46673 — high · crates.io/russh
CVE-2026-42189 — high · crates.io/russh
CVE-2024-43410 — high · crates.io/russh
CVE-2026-48108 — medium · crates.io/russh
CVE-2026-48107 — medium · crates.io/russh
CVE-2026-46705 — medium · crates.io/russh

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.