CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-22869: Potential denial of service in golang.org/x/crypto

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Classification

CVE ID: CVE-2025-22869

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: golang.org/x/crypto

Product: golang.org/x/crypto/ssh

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 15.58% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22869
https://go.dev/cl/652135
https://go.dev/issue/71931
https://pkg.go.dev/vuln/GO-2025-3487

Timeline