CVE-2025-47914

MEDIUM

golang/crypto and x/crypto < 0.45.0 - Denial of Service via Malformed SSH Agent Message

Title source: llm

Description

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

References (4)

Core 4

Core References

Patch

https://go.dev/cl/721960

Issue Tracking, Patch

https://go.dev/issue/76364

Mailing List

https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA

Vendor Advisory

https://pkg.go.dev/vuln/GO-2025-4135

Scores

CVSS v3 5.3

EPSS 0.0047

EPSS Percentile 37.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-125

Status published

Products (2)

golang/crypto < 0.45.0

x/crypto 0 - 0.45.0Go

Published Nov 19, 2025

Tracked Since Feb 18, 2026