crypto-ssh for Go: denial of service via slow key exchange (CVE-2025-22869) #shorts

Summary

In today's episode, we'll be discussing a critical vulnerability identified as CVE-2025-22869. This affects the Go language's crypto/ssh package up to version 0.34.x and poses a serious threat as it can be exploited to enact a Denial of Service (DoS) attack. We'll examine how this vulnerability functions, its implications, and what measures are recommended to guard against such attacks.

Product details

The affected product is the Go language's crypto/ssh package, a widely used library for implementing SSH servers and clients. This vulnerability specifically targets versions prior to 0.35.0. The vulnerability falls under the purview of the Go project, which is responsible for maintaining this core package.

Vulnerability type summary

CVE-2025-22869 is identified as a CWE-770 vulnerability, which pertains to the allocation of resources without limits or throttling. More specifically, this vulnerability can be manipulated via unknown data to cause a Denial of Service attack on SSH servers.

Details of the vulnerability

The vulnerability permits an attacker to exploit SSH servers implementing file transfer protocols. By completing the key exchange process slowly or not at all, attackers cause pending content to be read into memory without being transmitted, effectively leading to resource exhaustion and ultimately a Denial of Service condition. Several security advisories, including those from SUSE, have been released to address this issue in associated products like podman and buildah.

Conclusion

To mitigate the risks associated with CVE-2025-22869, it's crucial for users and administrators to upgrade their implementations of the Go language's crypto/ssh package to versions 0.35.0 or later. Staying informed with the latest security advisories and patch updates, such as those from SUSE, is also recommended to safeguard infrastructure from potential attacks. Thanks for tuning into today's episode, stay safe and secure.

Watch the full video on YouTube: CVE-2025-22869

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-22869
Description
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Provider
Go
CWE / problem types
CWE-770: Allocation of Resources Without Limits or Throttling
Affected Software Versions
golang.org/x/crypto:golang.org/x/crypto/ssh:[{'version': '0', 'lessThan': '0.35.0', 'status': 'affected', 'versionType': 'semver'}]
Date Published
2025-02-26T03:07:48.855Z
Last Updated
2025-04-11T22:03:24.222Z