This blog post was originally published on the OSTIF Blog written by Helen Woeste
The Open Source Technology Improvement Fund is proud to share the results of our security audit of Paramiko. Paramiko is an open source Python implementation of the SSHv2 protocol designed for secure remote login and other secure network services. Thanks to the help of Quarkslab and Alpha-Omega, this project received custom security work reviewing Paramiko’s testing, building and CI systems, and cryptography.
Audit Process:
The engagement took place in November 2025, with Quarkslab’s audit team executing the mission on Paramiko’s testing, building, and CI systems. In order to effectively execute this work on critical security features of Paramiko, the scope was expanded to include PYCA Cryptography and how it interacts with Paramiko critical cryptographic functions, (PYCA) Cryptography’s OpenSSL Rust Bindings, and CI/CD CircleCI for Paramiko and Github Actions for (PYCA) Cryptography. For Paramiko the engagement consisted of manual code review, dependencies review, dynamic testing, build systems, testing enhancements, static analysis, and fuzz testing.
Audit Results:
- 30 Findings with Security Impact
- 2 High
- 7 Medium
- 5 Low
- 16 Informational
- Build and CI/CD Pipeline Review
- Testing Enhancements
- Implementation of a crypto-condor plug-in to incorporate in the CI for cryptographic compliance and testing of entropy sources
- Review of current testing coverage
- SSH RFC compliance review
The project maintainer worked diligently to address and resolve the issues presented by this report, engaging with the audit team to design fix solutions aligned with security best practices. Update to the most recent release of Paramiko (version 5.0 will release early May 2026) and follow documentation in order to take advantage of the hard work of the individuals behind Paramiko and Quarkslab. If you’re interested in contributing to Paramiko, learn more about them and their community on their website.
Thank you to the individuals and groups that made this engagement possible:
- Paramiko maintainers and community, especially: Jeff Forcier
- Quarkslab: Dahmun Goudarzi, Julio Loayza Meneses, Alan Marrec, and Pauline Sauder
- Alpha-Omega
You can read the Audit Report HERE
You can read Quarkslab’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to contactus@ostif.org.
Follow OSTIF’s lu.ma page for up to date information about open source security webinars, meetups, and educational opportunities!
Stay up to date with our latest security audits and open source security initiatives. Follow Alpha-Omega on LinkedIn.
Author Bio
Helen Woeste joined OSTIF in 2023, coming from a decade of work experience in the restaurant and hospitality industries. With a passion (and degree) for writing and governance structures, Woeste quickly transitioned into an operations and communications role in technology.
