Go modules package
golang.org/x/crypto
pkg:golang/golang.org/x/crypto
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47914 | — | < 0.45.0 | 0.45.0 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | ||
| CVE-2025-58181 | — | < 0.45.0 | 0.45.0 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-22869 | — | < 0.35.0 | 0.35.0 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2024-45337 | Cri | 9.1 | < 0.31.0 | 0.31.0 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2023-48795 | Med | 5.9 | >= 0.1.0, < 0.17.0 | 0.17.0 | Dec 18, 2023 | The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end | |
| CVE-2021-43565 | — | < 0.0.0-20211202192323-5770296d904e | 0.0.0-20211202192323-5770296d904e | Sep 6, 2022 | The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. | ||
| CVE-2022-27191 | — | < 0.0.0-20220314234659-1baeb1ce4c0b | 0.0.0-20220314234659-1baeb1ce4c0b | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | ||
| CVE-2020-29652 | — | < 0.0.0-20201216223049-8b5274cf687f | 0.0.0-20201216223049-8b5274cf687f | Dec 17, 2020 | A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. | ||
| CVE-2020-7919 | — | < 0.0.0-20200124225646-8b5121be2f68 | 0.0.0-20200124225646-8b5121be2f68 | Mar 16, 2020 | Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | ||
| CVE-2020-9283 | — | < 0.0.0-20200220183623-bac4c82f6975 | 0.0.0-20200220183623-bac4c82f6975 | Feb 20, 2020 | golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. | ||
| CVE-2019-11841 | — | < 0.0.0-20190424203555-c05e17bb3b2d | 0.0.0-20190424203555-c05e17bb3b2d | May 22, 2019 | A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" A | ||
| CVE-2019-11840 | Med | 5.9 | < 0.0.0-20190320223903-b7391e95e576 | 0.0.0-20190320223903-b7391e95e576 | May 9, 2019 | An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 G | |
| CVE-2017-3204 | Hig | 8.1 | < 0.0.0-20170330155735-e4e2799dd7aa | 0.0.0-20170330155735-e4e2799dd7aa | Apr 4, 2017 | The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism. |
- CVE-2025-47914Nov 19, 2025affected < 0.45.0fixed 0.45.0
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- CVE-2025-58181Nov 19, 2025affected < 0.45.0fixed 0.45.0
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-22869Feb 26, 2025affected < 0.35.0fixed 0.35.0
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 0.31.0fixed 0.31.0
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- affected >= 0.1.0, < 0.17.0fixed 0.17.0
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
- CVE-2021-43565Sep 6, 2022affected < 0.0.0-20211202192323-5770296d904efixed 0.0.0-20211202192323-5770296d904e
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
- CVE-2022-27191Mar 18, 2022affected < 0.0.0-20220314234659-1baeb1ce4c0bfixed 0.0.0-20220314234659-1baeb1ce4c0b
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- CVE-2020-29652Dec 17, 2020affected < 0.0.0-20201216223049-8b5274cf687ffixed 0.0.0-20201216223049-8b5274cf687f
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
- CVE-2020-7919Mar 16, 2020affected < 0.0.0-20200124225646-8b5121be2f68fixed 0.0.0-20200124225646-8b5121be2f68
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
- CVE-2020-9283Feb 20, 2020affected < 0.0.0-20200220183623-bac4c82f6975fixed 0.0.0-20200220183623-bac4c82f6975
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
- CVE-2019-11841May 22, 2019affected < 0.0.0-20190424203555-c05e17bb3b2dfixed 0.0.0-20190424203555-c05e17bb3b2d
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" A
- affected < 0.0.0-20190320223903-b7391e95e576fixed 0.0.0-20190320223903-b7391e95e576
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 G
- affected < 0.0.0-20170330155735-e4e2799dd7aafixed 0.0.0-20170330155735-e4e2799dd7aa
The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.