CVE-2025-23390

Name of the Vulnerable Software and Affected Versions Fleet versions prior to v0.10.12 Fleet versions prior to v0.11.7 Fleet versions prior to v0.12.2

Description A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the known hosts file. This could allow the execution of a man-in-the-middle (MitM) attack against Fleet. In case the server that is being connected to has a trusted entry in the known hosts file, then Fleet will correctly check the authenticity of the presented certificate.

Recommendations For Fleet versions prior to v0.10.12, upgrade to version v0.10.12 or later. For Fleet versions prior to v0.11.7, upgrade to version v0.11.7 or later. For Fleet versions prior to v0.12.2, upgrade to version v0.12.2 or later. As a temporary workaround is not available, users are recommended to upgrade to a version of Fleet that contains the fixes as soon as possible.