CVE-2025-58181
published 2025-11-19CVE-2025-58181: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.52%
40.3th percentile
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-go.crypto | < golang-go.crypto 1:0.45.0-1 (forky) | golang-go.crypto 1:0.45.0-1 (forky) |
| golang.org | x_crypto | >= 0 < 0.45.0 | 0.45.0 |
| golang.org | x_crypto_golang.org_x_crypto_ssh | < 0.45.0 | 0.45.0 |
| golang | crypto | < 0.45.0 | 0.45.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unbounded memory consumption in golang.org/x/crypto/ssh
osv·2025-11-19
CVE-2025-58181 Unbounded memory consumption in golang.org/x/crypto/ssh
Unbounded memory consumption in golang.org/x/crypto/ssh
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
OSV
CVE-2025-58181: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause un
osv·2025-11-19·CVSS 5.3
CVE-2025-58181 [MEDIUM] CVE-2025-58181: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause un
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
OSV
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
osv·2025-11-19
CVE-2025-58181 [MEDIUM] golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
GHSA
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
ghsa·2025-11-19
CVE-2025-58181 [MEDIUM] CWE-770 golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Ubuntu
Google Guest Agent vulnerability
vendor_ubuntu·2026-01-13
CVE-2025-58181 Google Guest Agent vulnerability
Title: Google Guest Agent vulnerability
Summary: Google Guest Agent could be made to crash if it received specially
crafted network traffic.
Jakub Ciolek discovered that the Go Cryptography module included in
Google Guest Agent did not validate GSSAPI authentication requests during
SSH operations. An attacker could possibly use this issue to cause a
denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
vendor_redhat·2025-11-19·CVSS 5.3
CVE-2025-58181 [MEDIUM] CWE-770 golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
A flaw was found in golang.org/x/crypto/ssh. An attacker can exploit this vulnerability by sending specially crafted GSSAPI (Generic Security Service Application Program Interface) authentication requests to an SSH (Secure Shell) server. The server fails to validate the number of mechanisms specified in these requests, leading to unbounded memory consumption. This can result in a Denial of Service (DoS), making the SSH server unavailable to legitimate users.
Statement: This vulnerability
Debian
CVE-2025-58181: golang-go.crypto - SSH servers parsing GSSAPI authentication requests do not validate the number of...
vendor_debian·2025·CVSS 5.3
CVE-2025-58181 [MEDIUM] CVE-2025-58181: golang-go.crypto - SSH servers parsing GSSAPI authentication requests do not validate the number of...
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1:0.45.0-1)
sid: resolved (fixed in 1:0.45.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
2025-11-19
Published