Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
Description
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SSH Agent servers lack message size validation, allowing a malformed identity request to trigger an out-of-bounds read and panic.
Vulnerability
Description
CVE-2025-47914 is a denial-of-service vulnerability in the SSH Agent server implementation within the golang.org/x/crypto/ssh/agent package. The server does not validate the size of messages when processing new identity requests, leading to an out-of-bounds read condition when a malformed message is received [1][4].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted, undersized identity request message to a vulnerable SSH Agent server. No authentication is required; the attacker only needs network access to the agent port [1][4]. The flaw can be triggered during the parsing of the message, before any identity processing occurs.
Impact
Successful exploitation causes the program to panic, resulting in a denial of service (DoS). The agent becomes unavailable for legitimate authentication operations until restarted [1][4].
Mitigation
The vulnerability is fixed in golang.org/x/crypto version v0.45.0. Users are advised to update to this or a later version to prevent the issue [2][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/cryptoGo | < 0.45.0 | 0.45.0 |
Affected products
1- golang.org/x/crypto/golang.org/x/crypto/ssh/agentv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-f6x5-jh6r-wrfvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47914ghsaADVISORY
- go.dev/cl/721960ghsaWEB
- go.dev/issue/76364ghsaWEB
- go.googlesource.com/cryptoghsaWEB
- groups.google.com/g/golang-announce/c/w-oX3UxNcZAghsaWEB
- pkg.go.dev/vuln/GO-2025-4135ghsaWEB
News mentions
0No linked articles in our index yet.