x/vulndb: potential Go vuln in golang.org/x/crypto: GHSA-j5w8-q4qc-rx2x

[GoVulnBot]

Advisory GHSA-j5w8-q4qc-rx2x references a vulnerability in the following Go modules:

Module
golang.org/x/crypto

Description:
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

References:

• ADVISORY: GHSA-j5w8-q4qc-rx2x
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-58181
• FIX: https://go.dev/cl/721961
• REPORT: https://go.dev/issue/76363
• WEB: https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA

Cross references:

• golang.org/x/crypto appears in 13 other report(s):
  • data/reports/GO-2020-0012.yaml (dummy issue #12)
  • data/reports/GO-2020-0013.yaml (dummy issue #13)
  • data/reports/GO-2021-0227.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2020-29652 #227)
  • data/reports/GO-2021-0356.yaml (x/vulndb: potential Go vuln in std: CVE-2022-27191 #356)
  • data/reports/GO-2022-0209.yaml (x/vulndb: potential Go vuln in "Go Standard Library (package not identified)": CVE-2019-11840 #209)
  • data/reports/GO-2022-0229.yaml (x/vulndb: potential Go vuln in Go Standard Library (package not identified): CVE-2020-7919 #229)
  • data/reports/GO-2022-0968.yaml (x/vulndb: potential Go vuln in std: CVE-2021-43565 #968)
  • data/reports/GO-2023-1992.yaml (x/vulndb: potential Go vuln in golang.org/x/crypto/openpgp/clearsign: GHSA-x3jr-pf6g-c48f #1992)
  • data/reports/GO-2023-2402.yaml (x/vulndb: potential Go vuln in golang.org/x/crypto: CVE-2023-48795 #2402)
  • data/reports/GO-2024-2961.yaml (x/vulndb: potential Go vuln in golang.org/x/crypto/acme/autocert: CVE-2022-30636 #2961)
  • data/reports/GO-2024-3321.yaml (x/vulndb: potential Go vuln in golang.org/x/crypto: CVE-2024-45337 #3321)
  • data/reports/GO-2025-3487.yaml (x/vulndb: potential Go vuln in golang.org/x/crypto: CVE-2025-22869 #3487)
  • data/reports/GO-2025-4116.yaml (x/vulndb: potential Go vuln in golang.org/x/crypto: CVE-2025-47913 #4116)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: golang.org/x/crypto
      versions:
        - fixed: 0.45.0
      vulnerable_at: 0.44.0
summary: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption in golang.org/x/crypto
cves:
    - CVE-2025-58181
ghsas:
    - GHSA-j5w8-q4qc-rx2x
references:
    - advisory: https://github.com/advisories/GHSA-j5w8-q4qc-rx2x
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-58181
    - fix: https://go.dev/cl/721961
    - report: https://go.dev/issue/76363
    - web: https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
source:
    id: GHSA-j5w8-q4qc-rx2x
    created: 2025-11-20T00:01:04.819322902Z
review_status: UNREVIEWED

[nicholashusin]

Duplicate of #4134