Security Concern – OpenSSH Vulnerability (CVE-2025-26465) on Railway

augmentimpactPRO

4 months ago

Hi Railway Support,

I’m reaching out because we’ve been alerted to a security vulnerability (CVE-2025-26465) affecting OpenSSH versions 6.8p1 to 9.9p1. After checking, we confirmed that our Railway environment is running OpenSSH 9.8p1 (LibreSSL 3.3.6), which is still vulnerable.

We need some clarification on two things:

  1. VerifyHostKeyDNS Configuration – Could you confirm whether VerifyHostKeyDNS is enabled (yes) or disabled (no) in our environment? If it’s enabled, is there a way for us to disable it, given that we don’t have root access?

  2. OpenSSH Upgrade Timeline – Is there a plan to upgrade OpenSSH to 9.9p2 or later? If so, do you have an estimated timeline for when that will happen?

This is important for us to address because the vulnerability could expose SSH connections to potential MITM attacks, and our project is being used in collaboration with international partners.

Appreciate any guidance you can provide on this. Let me know if you need any additional details.

Best,
Sebastian

Awaiting User Response

1 Replies

unicodeveloperPRO

4 months ago

Hi there, thanks for reaching out. These are the answers to the questions asked:

  1. The VerifyHostKeyDNS is not enabled.

  2. For OpenSSH, not to worry because we don't have that user facing.

Status changed to Awaiting User Response railway[bot] 4 months ago