GO-2025-3487

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-3487

Import Source

https://vuln.go.dev/ID/GO-2025-3487.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2025-3487

Aliases

CVE-2025-22869

Published

2025-02-26T02:51:51Z

Modified

2025-02-26T03:12:12.517573Z

Summary

Potential denial of service in golang.org/x/crypto

Details

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2025-3487"
}

References

Credits

- Yuichi Watanabe

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.35.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/crypto/ssh",
            "symbols": [
                "Client.Dial",
                "Client.DialContext",
                "Client.DialTCP",
                "Client.Listen",
                "Client.ListenTCP",
                "Client.ListenUnix",
                "Client.NewSession",
                "Dial",
                "DiscardRequests",
                "NewClient",
                "NewClientConn",
                "NewServerConn",
                "Request.Reply",
                "Session.Close",
                "Session.CombinedOutput",
                "Session.Output",
                "Session.RequestPty",
                "Session.RequestSubsystem",
                "Session.Run",
                "Session.SendRequest",
                "Session.Setenv",
                "Session.Shell",
                "Session.Signal",
                "Session.Start",
                "Session.WindowChange",
                "channel.Accept",
                "channel.Close",
                "channel.CloseWrite",
                "channel.Read",
                "channel.ReadExtended",
                "channel.Reject",
                "channel.SendRequest",
                "channel.Write",
                "channel.WriteExtended",
                "connection.SendAuthBanner",
                "curve25519sha256.Client",
                "curve25519sha256.Server",
                "dhGEXSHA.Client",
                "dhGEXSHA.Server",
                "dhGroup.Client",
                "dhGroup.Server",
                "ecdh.Client",
                "ecdh.Server",
                "extChannel.Read",
                "extChannel.Write",
                "handshakeTransport.kexLoop",
                "handshakeTransport.recordWriteError",
                "handshakeTransport.writePacket",
                "mux.OpenChannel",
                "mux.SendRequest",
                "newHandshakeTransport",
                "sessionStdin.Close",
                "sshClientKeyboardInteractive.Challenge",
                "tcpListener.Accept",
                "tcpListener.Close",
                "unixListener.Accept",
                "unixListener.Close"
            ]
        }
    ]
}