CVE-2025-47914

MEDIUM5.3EPSS 0.01%

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

Published: 11/19/2025Modified: 3/24/2026

Also known as:GHSA-f6x5-jh6r-wrfvCGA-g95w-h5g8-rhqqDEBIAN-CVE-2025-47914GO-2025-4135

Description

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Affected packages (3)

Debian/golang-go.cryptofrom 0
Go/golang.org/x/cryptofrom 0, < 0.45.0
Go/golang.org/x/cryptofrom 0, < 0.45.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47914
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-47914
WEBhttps://go.dev/cl/721960
WEBhttps://go.dev/issue/76364
WEBhttps://go.googlesource.com/crypto
WEBhttps://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
WEBhttps://pkg.go.dev/vuln/GO-2025-4135