golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

GHSA-j5w8-q4qc-rx2x · CVE-2025-58181 · GO-2025-4134

Published Nov 19, 2025 · Modified Mar 24, 2026

Description

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-58181
WEB https://go.dev/cl/721961
WEB https://go.dev/issue/76363
WEB https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
WEB https://pkg.go.dev/vuln/GO-2025-4134

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes