CVE-2025-47914: golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

November 19, 2025 (updated November 20, 2025)

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

References

github.com/advisories/GHSA-f6x5-jh6r-wrfv
go.dev/cl/721960
go.dev/issue/76364
go.googlesource.com/crypto
groups.google.com/g/golang-announce/c/w-oX3UxNcZA
nvd.nist.gov/vuln/detail/CVE-2025-47914
pkg.go.dev/vuln/GO-2025-4135

Code Behaviors & Features

Detect and mitigate CVE-2025-47914 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →