CVE-2025-22869
Aliases:GHSA-hcg3-q754-cr77GO-2025-3487
Advisory lineage Upstream: 0 Downstream: 87
Analyzed
Published: 26 Feb 2025, 03:07
Last modified:11 Apr 2025, 22:03
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.61% LOW
1% probability +0.39%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
26 Feb 2025, 03:07
Published
Vulnerability first disclosed
11 Apr 2025, 22:03
Last Modified
Vulnerability information updated
Description
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.61%• Percentile: 70%
Techniques & Countermeasures
- CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Affected Systems
- go•ssh
< 0.35.0
- golang.org/x•crypto
< 0.35.0
- golang.org/x/crypto•golang.org/x/crypto/ssh
< 0.35.0
References (9)
- https://go.dev/cl/652135
- https://go.dev/issue/71931
- https://pkg.go.dev/vuln/GO-2025-3487
- https://security.netapp.com/advisory/ntap-20250411-0010/
- https://nvd.nist.gov/vuln/detail/CVE-2025-22869
- https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22
- https://github.com/golang/crypto
- https://go-review.googlesource.com/c/crypto/+/652135
- https://security.netapp.com/advisory/ntap-20250411-0010