CVE-2025-58181 — Unbounded memory consumption in golang.org/x/crypto/ssh

Description

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

How to fix CVE-2025-58181

To remediate CVE-2025-58181, upgrade the affected package to a fixed version below.

Debian/golang-go.crypto—no fix listed
—upgrade to 0.45.0 or later
—upgrade to 0.45.0 or later

Is CVE-2025-58181 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0, < 0.45.0
from 0, < 0.45.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-58181
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-58181
WEBgo.dev/cl/721961
WEBgo.dev/issue/76363
WEBgroups.google.com/g/golang-announce/c/w-oX3UxNcZA