CVE-2024-48460: 
JavaScript vulnerability analysis and mitigation

An issue in Eugeny Tabby 1.0.213 was discovered that exposes sensitive authentication information. The vulnerability was disclosed on January 16, 2025, and is tracked as CVE-2024-48460. The issue affects the SSH connection functionality in Tabby terminal emulator (NVD).

The vulnerability stems from improper handling of SSH host key verification failures. When a connection attempt is made, Tabby sends the SSH username and password credentials to the server even when host key verification fails, which violates secure SSH connection practices. The vulnerability has been assigned CWE-295 (Improper Certificate Validation) and has received a CVSS v3.1 Base Score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (CISA-ADP).

This vulnerability allows remote attackers to obtain sensitive information by intercepting SSH credentials. When a user attempts to connect to an SSH server and the host key verification fails, their username and password are still transmitted, potentially exposing these credentials to malicious actors (GitHub Issue).

As of the vulnerability disclosure, no official patch has been released. Users are advised to exercise caution when connecting to SSH servers and avoid using Tabby version 1.0.213 for SSH connections until a fix is available (NVD).