CVE-2025-22869

HIGH

GO SSH < 0.35.0 - Resource Allocation Without Limits

Title source: rule

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Exploits (1)

gitlab STUB

by sempernow · poc

https://gitlab.com/sempernow/age

View Code ZIP pw:eip

References (4)

[Patch] https://go.dev/cl/652135

[Issue Tracking, Patch] https://go.dev/issue/71931

[Vendor Advisory] https://pkg.go.dev/vuln/GO-2025-3487

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20250411-0010/

Scores

CVSS v3 7.5

EPSS 0.0061

EPSS Percentile 69.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (2)

go/ssh < 0.35.0

x/crypto 0 - 0.35.0Go

Published Feb 26, 2025

Tracked Since Feb 18, 2026