x/vulndb: suggestion regarding GO-2025-4134

[hiohiohio]

Report ID

GO-2025-4134

Suggestion/Comment

I have got below result but this GO-2025-4134 should be resolved by golang.org/x/crypto@v0.45.0 ?
ref. https://pkg.go.dev/vuln/GO-2025-4134

Vulnerability #1: GO-2025-4134
    CVE-2025-58181 in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2025-4134
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.43.0
    Fixed in: N/A

[johnsonjh]

Vulnerability #1: GO-2025-4134
    CVE-2025-58181 in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2025-4134
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.45.0
    Fixed in: N/A
    Example traces found:
      #1: main.go:3175:48: proxy.handleConn calls ssh.NewServerConn

Your code is affected by 1 vulnerability from 1 module.

This is a false positive and it directly contradicts the announcement that v0.45.0 was released specifically to fix this.

[silverwind]

What does "no known fixed" mean? Does the offending code need to be eliminated, meaning ssh.NewServerConn must never be called?

[johnsonjh]

@silverwind The vulnerability report seems clearly wrong.

https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA explicitly states that the v0.45.0 release was made to fix this problem, which I consider authoritative.

The govulncheck database is incorrectly reporting there is no fixed version which is clearly untrue. Until they fix this you’ll have to ignore govulncheck.

[oliverpool]

The published JSON seems incomplete: https://vuln.go.dev/ID/GO-2025-4134.json

{
  "package": {
    "name": "golang.org/x/crypto",
    "ecosystem": "Go"
  },
  "ranges": [
    {
      "type": "SEMVER",
      "events": [
        {
          "introduced": "0"
        }
      ]
    }
  ],
  "ecosystem_specific": {
    "imports": [
      {
        "path": "golang.org/x/crypto/ssh",
        "symbols": [
          "NewServerConn",
          "parseGSSAPIPayload"
        ]
      }
    ],
    "custom_ranges": [
      {
        "type": "ECOSYSTEM",
        "events": [
          {
            "introduced": "0"
          },
          {
            "fixed": "0.45.0"
          }
        ]
      }
    ]
  }
}

The fixed event is missing from ranges. It is only present in custom_ranges, which is ignored by govulncheck...

Hence the output Fixed in: N/A.

[oliverpool]

vulndb/data/reports/GO-2025-4134.yaml

Line 4 in 3d8b4cf

non_go_versions:

should likely read versions: instead of non_go_versions:.

[thatnealpatel]

Hello, thank you @oliverpool , @silverwind , @johnsonjh , @hiohiohio for raising this. This will be rectified shortly.

[gopherbot]

Change https://go.dev/cl/722381 mentions this issue: data/reports: modify 2 reports