Allocation of Resources Without Limits or Throttling in golang.org/x/crypto/ssh | CVE-2025-22869

Q: How to fix?

Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

Introduced: 26 Feb 2025

NewCVE-2025-22869 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

Overview

golang.org/x/crypto/ssh is a SSH client and server

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting golang.org/x/crypto/ssh package, versions <0.35.0

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 26 Feb 2025

How to fix?

Overview

References

CVSS Scores

Snyk