PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5725 Jcraft CVE debrief

CVE-2016-5725 describes a directory traversal issue in JCraft JSch before 0.1.54. On Windows, when ChannelSftp.OVERWRITE is used, a remote SFTP server can influence recursive GET handling so that a ..\ sequence in the server response may cause writes outside the intended destination. The impact is integrity-focused rather than confidentiality- or availability-focused, which matches the reported medium CVSS score.

Vendor
Jcraft
Product
CVE-2016-5725
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Teams running Java applications that embed or depend on JCraft JSch 0.1.53 or earlier, especially on Windows and especially if they use SFTP recursive GET operations with ChannelSftp.OVERWRITE. Security and platform owners should also care if untrusted or semi-trusted SFTP servers are allowed to control download destinations.

Technical summary

NVD classifies the issue as CWE-22 (path traversal) with CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerable product scope in the corpus is jcraft:jsch versions through 0.1.53. The described condition is Windows-specific and depends on ChannelSftp.OVERWRITE during recursive GET handling, where a remote server response containing ..\ can lead to arbitrary file writes. The core defensive concern is path normalization failure when server-supplied names are used to construct local file paths.

Defensive priority

Medium. The vulnerability requires a specific API mode and Windows context, but it can still produce high-integrity impact through unintended file writes. Prioritize if JSch is exposed to untrusted SFTP servers or used in automated file transfer workflows.

Recommended defensive actions

  • Upgrade JCraft JSch to 0.1.54 or later across all applications and embedded dependencies.
  • Inventory Windows hosts and applications that use JSch SFTP recursive GET flows, especially any code paths using ChannelSftp.OVERWRITE.
  • Treat server-supplied filenames and paths as untrusted; canonicalize and validate destination paths before writing files.
  • Avoid overwrite modes or isolate downloads into a controlled staging directory when interacting with untrusted SFTP servers.
  • Review logs and file integrity monitoring for unexpected writes outside approved transfer directories.
  • Track third-party packages and repackaged libraries so older embedded JSch copies are not left behind after an upstream upgrade.

Evidence notes

The CVE record and NVD detail supplied in the corpus identify JCraft JSch before 0.1.54 as affected and describe the Windows/ChannelSftp.OVERWRITE path traversal scenario. The corpus also provides CWE-22 and CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, supporting an integrity-focused remote attack with no user interaction. Publication timing should be read from the CVE publishedAt field (2017-01-19T22:59:00.150Z); the later modifiedAt timestamp (2026-05-13T00:24:29.033Z) reflects record updates, not the original issue date.

Official resources

Publicly disclosed in the CVE record on 2017-01-19. The corpus marks the issue as modified by NVD on 2026-05-13. No KEV listing, ransomware linkage, or known exploitation campaign is indicated in the supplied data.