CVE-2025-58181

MEDIUM5.3EPSS 0.05%

Unbounded memory consumption in golang.org/x/crypto/ssh

Published: 11/19/2025Modified: 5/15/2026

Description

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Affected packages (3)

Debian/golang-go.cryptofrom 0
Go/golang.org/x/cryptofrom 0, < 0.45.0
Go/golang.org/x/cryptofrom 0, < 0.45.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-58181
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-58181
WEBhttps://go.dev/cl/721961
WEBhttps://go.dev/issue/76363
WEBhttps://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
WEBhttps://pkg.go.dev/vuln/GO-2025-4134