CVE-2025-58181Allocation of Resources Without Limits or Throttling in X Crypto Golang.org X Crypto SSH

CWE-770Allocation of Resources Without Limits or Throttling10 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 74.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Golang.org X Crypto Golang.org X Crypto SSHGolang.org X CryptoGolang Crypto
Timeline
PublishedNov 19
Latest updateJan 13

Description

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDgolang/crypto< 0.45.0
Gogolang.org/x_crypto< 0.45.0

Patches

Patch: go.dev

🔴Vulnerability Details

5
OSV
Unbounded memory consumption in golang.org/x/crypto/ssh2025-11-19
OSV
CVE-2025-58181: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause un2025-11-19
OSV
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption2025-11-19
GHSA
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption2025-11-19
CVEList
Unbounded memory consumption in golang.org/x/crypto/ssh2025-11-19

📋Vendor Advisories

3
Ubuntu
Google Guest Agent vulnerability2026-01-13
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication2025-11-19
Debian
CVE-2025-58181: golang-go.crypto - SSH servers parsing GSSAPI authentication requests do not validate the number of...2025

💬Community

1
Bugzilla
CVE-2025-58181 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication2025-11-19
CVE-2025-58181 — MEDIUM severity | cvebase