CVE-2025-58181: golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

November 19, 2025

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

References

github.com/advisories/GHSA-j5w8-q4qc-rx2x
go.dev/cl/721961
go.dev/issue/76363
groups.google.com/g/golang-announce/c/w-oX3UxNcZA
nvd.nist.gov/vuln/detail/CVE-2025-58181
pkg.go.dev/vuln/GO-2025-4134

Code Behaviors & Features

Detect and mitigate CVE-2025-58181 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →