CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-22869: Potential denial of service in golang.org/x/crypto

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Classification

CVE ID: CVE-2025-22869

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: golang.org/x/crypto

Product: golang.org/x/crypto/ssh

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 15.58% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22869
https://go.dev/cl/652135
https://go.dev/issue/71931
https://pkg.go.dev/vuln/GO-2025-3487

Timeline

2025-02-26 04:42:53 UTC
CVE

Potential denial of service in golang.org/x/crypto
2025-03-26 17:15:29 UTC
Tenable Plugins

SUSE SLES15 Security Update : buildah (SUSE-SU-2025:1014-1)
2025-03-27 12:15:26 UTC
Tenable Plugins

SUSE SLES15 Security Update : buildah (SUSE-SU-2025:1017-1)
2025-03-27 12:15:28 UTC
Tenable Plugins

SUSE SLES15 / openSUSE 15 Security Update : buildah (SUSE-SU-2025:1018-1)
2025-04-14 06:00:46 UTC
Tenable Plugins

RHEL 8 / 9 : Red Hat Edge Manager Version 0.5.1 (Technology Preview) security fixes (Important) (RHSA-2025:3685)