CVE-2025-22869: Potential denial of service in golang.org/x/crypto

Published Feb 26, 2025
·
Updated

Potential denial of service in golang.org/x/crypto

Other sources

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

MITRE

Affected Software

41 affected componentsFixes available
Google Go Crypto
go/golang.org/x/crypto<0.35.0
0.35.0
go Ssh Go<0.35.0
IBM Concert Software<=1.0.0-2.1.0
Microsoft cbl2 cert-manager 1.11.2-22
Patch available
Microsoft cbl2 terraform 1.3.2-25
Patch available
Microsoft azl3 cert-manager 1.12.15-2
Patch available
Microsoft azl3 docker-compose 2.27.0-4
Patch available
Microsoft azl3 cert-manager 1.12.15-3
Patch available
Microsoft azl3 packer 1.9.5-6
Patch available
Microsoft azl3 kubevirt 1.2.0-14
Patch available
Microsoft cbl2 moby-compose 2.17.3-10
Patch available
Microsoft cbl2 packer 1.9.5-13
Patch available
Microsoft azl3 packer 1.9.5-9
Patch available
Microsoft azl3 docker-compose 2.27.0-5
Patch available
Microsoft azl3 telegraf 1.31.0-10
Patch available
Microsoft azl3 node-problem-detector 0.8.20-2
Patch available
Microsoft azl3 kubernetes 1.30.10-3
Patch available
Microsoft azl3 gh 2.62.0-7
Patch available
Microsoft azl3 cf-cli 8.7.11-2
Patch available
Microsoft azl3 moby-engine 25.0.3-11
Patch available
Microsoft azl3 telegraf 1.31.0-5
Patch available
Microsoft cbl2 cert-manager 1.11.2-20
Patch available
Microsoft cbl2 telegraf 1.29.4-11
Patch available
Microsoft cbl2 packer 1.9.5-10
Patch available
Microsoft azl3 docker-buildx 0.14.0-4
Patch available
Microsoft cbl2 kubernetes 1.28.4-15
Patch available
Microsoft cbl2 moby-engine 24.0.9-15
Patch available
Microsoft cbl2 terraform 1.3.2-23
Patch available
Microsoft cbl2 kubevirt 0.59.0-25
Patch available
Microsoft cbl2 kubevirt 0.59.0-28
Patch available
Microsoft cbl2 terraform 1.3.2-25
Patch available
Microsoft cbl2 moby-engine 24.0.9-17
Patch available
Microsoft azl3 moby-engine 25.0.3-13
Patch available
Microsoft cbl2 telegraf 1.29.4-16
Patch available
Microsoft cbl2 kubernetes 1.28.4-18
Patch available
Microsoft azl3 gh 2.62.0-8
Patch available
Microsoft azl3 docker-buildx 0.14.0-5
Patch available
Microsoft azl3 cf-cli 8.7.11-3
Patch available
Microsoft azl3 kubevirt 1.2.0-17
Patch available
Microsoft azl3 kubernetes 1.30.10-7
Patch available

Remediation

Patch Available

https://go.dev/cl/652135

Patch Available

https://go.dev/issue/71931

Event History

Feb 26, 2025
CVE Published
via MITRE·03:07 AM
Data Sourced
via MITRE·03:07 AM
DescriptionWeakness
Data Sourced
via Red Hat·04:01 AM
DescriptionSeverityAffected Software
Mar 8, 2025
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverity
Updated
via Microsoft·08:00 AM
Description
Apr 12, 2025
Advisory Published
via GitHub·12:30 AM
Dec 22, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-22869?

CVE-2025-22869 is classified as a denial of service vulnerability.

2

How do I fix CVE-2025-22869?

To mitigate CVE-2025-22869, ensure that your SSH server implementations are updated to the latest versions that address this vulnerability.

3

What causes CVE-2025-22869?

CVE-2025-22869 is caused by clients completing the key exchange slowly, leading to pending content being read into memory without transmission.

4

Which software is affected by CVE-2025-22869?

CVE-2025-22869 affects SSH servers that implement file transfer protocols, specifically those using the Go crypto package.

5

What are the potential impacts of CVE-2025-22869?

The potential impact of CVE-2025-22869 includes denial of service, where excessive memory usage can disrupt service availability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203