CVE-2025-22869

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Published: Apr 12, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-22869
GHSA: GHSA-hcg3-q754-cr77
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
golang.org/x/crypto	-	0.35.0
go / ssh	-	0.35.0

https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22
https://go-review.googlesource.com/c/crypto/+/652135
https://go.dev/cl/652135
https://go.dev/issue/71931
https://pkg.go.dev/vuln/GO-2025-3487
https://security.netapp.com/advisory/ntap-20250411-0010
https://security.netapp.com/advisory/ntap-20250411-0010/

Vulnerability Database

289,599

CVE-2025-22869