VYPR
← All advisories
High severityNVD Advisory· Published Feb 20, 2020· Updated Aug 4, 2024

CVE-2020-9283

CVE-2020-9283

Description

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A panic in golang.org/x/crypto/ssh signature verification allows denial-of-service attacks against both SSH clients and servers that accept Ed25519 public keys.

Root

Cause

The vulnerability resides in the golang.org/x/crypto/ssh package, specifically in the handling of Ed25519 public keys during signature verification. A crafted public key with an invalid length can trigger a nil pointer dereference or an index-out-of-range panic, causing the SSH process to crash [3][4]. This affects versions before commit bac4c82f69751a6dd76e702d54b3ceb88adab236 (v0.0.0-20200220183623) [2].

Attack

Vector

The panic can be triggered without authentication. An SSH client can send a malformed Ed25519 public key to a server that accepts public-key authentication, causing a denial of service. Conversely, an SSH server can send a malformed key to any connecting client, crashing the client [1][4]. No valid credentials are required; the mere receipt of the malformed key is sufficient.

Impact

Successful exploitation results in a complete denial of service for the targeted SSH endpoint. Because the panic occurs in the core parsing and verification logic, the entire SSH process terminates, disrupting all active sessions and preventing new connections [1][2]. This can be used to knock out SSH services on vulnerable systems.

Mitigation

The issue was patched in the Go cryptography repository by adding length validation for Ed25519 public keys before processing [3]. Users should update golang.org/x/crypto to the fixed version (v0.0.0-20200220183623 or later). The Go vulnerability database (GO-2020-0012) lists this as a moderate-severity DoS [4]. No workaround is available; updating the library is the only remedy.

References
  1. Packet Storm
  2. NVD - CVE-2020-9283
  3. ssh: return an error for malformed ed25519 public keys rather than panic · golang/crypto@bac4c82
  4. GO-2020-0012 - Go Packages

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
golang.org/x/cryptoGo
< 0.0.0-20200220183623-bac4c82f69750.0.0-20200220183623-bac4c82f6975

Affected products

8

Patches

1
bac4c82f6975

ssh: return an error for malformed ed25519 public keys rather than panic

https://github.com/golang/cryptoFilippo ValsordaFeb 11, 2020via ghsa
commit
1 file changed · +20 8
  • ssh/keys.go+20 8 modified
    @@ -562,9 +562,11 @@ func parseED25519(in []byte) (out PublicKey, rest []byte, err error) {
 		return nil, nil, err
 	}
 
-	key := ed25519.PublicKey(w.KeyBytes)
+	if l := len(w.KeyBytes); l != ed25519.PublicKeySize {
+		return nil, nil, fmt.Errorf("invalid size %d for Ed25519 public key", l)
+	}
 
-	return (ed25519PublicKey)(key), w.Rest, nil
+	return ed25519PublicKey(w.KeyBytes), w.Rest, nil
 }
 
 func (k ed25519PublicKey) Marshal() []byte {
@@ -582,9 +584,11 @@ func (k ed25519PublicKey) Verify(b []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
+	if l := len(k); l != ed25519.PublicKeySize {
+		return fmt.Errorf("ssh: invalid size %d for Ed25519 public key", l)
+	}
 
-	edKey := (ed25519.PublicKey)(k)
-	if ok := ed25519.Verify(edKey, b, sig.Blob); !ok {
+	if ok := ed25519.Verify(ed25519.PublicKey(k), b, sig.Blob); !ok {
 		return errors.New("ssh: signature did not verify")
 	}
 
@@ -838,6 +842,10 @@ func parseSKEd25519(in []byte) (out PublicKey, rest []byte, err error) {
 		return nil, nil, err
 	}
 
+	if l := len(w.KeyBytes); l != ed25519.PublicKeySize {
+		return nil, nil, fmt.Errorf("invalid size %d for Ed25519 public key", l)
+	}
+
 	key := new(skEd25519PublicKey)
 	key.application = w.Application
 	key.PublicKey = ed25519.PublicKey(w.KeyBytes)
@@ -862,6 +870,9 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
+	if l := len(k.PublicKey); l != ed25519.PublicKeySize {
+		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
+	}
 
 	h := sha256.New()
 	h.Write([]byte(k.application))
@@ -898,8 +909,7 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 
 	original := Marshal(blob)
 
-	edKey := (ed25519.PublicKey)(k.PublicKey)
-	if ok := ed25519.Verify(edKey, original, edSig.Signature); !ok {
+	if ok := ed25519.Verify(k.PublicKey, original, edSig.Signature); !ok {
 		return errors.New("ssh: signature did not verify")
 	}
 
@@ -1051,7 +1061,10 @@ func NewPublicKey(key interface{}) (PublicKey, error) {
 	case *dsa.PublicKey:
 		return (*dsaPublicKey)(key), nil
 	case ed25519.PublicKey:
-		return (ed25519PublicKey)(key), nil
+		if l := len(key); l != ed25519.PublicKeySize {
+			return nil, fmt.Errorf("ssh: invalid size %d for Ed25519 public key", l)
+		}
+		return ed25519PublicKey(key), nil
 	default:
 		return nil, fmt.Errorf("ssh: unsupported key type %T", key)
 	}
@@ -1304,7 +1317,6 @@ func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.Priv
 		return nil, errors.New("ssh: malformed OpenSSH key")
 	}
 
-	// we only handle ed25519 and rsa keys currently
 	switch pk1.Keytype {
 	case KeyAlgoRSA:
 		// https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L2760-L2773

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

15

News mentions

0

No linked articles in our index yet.