Primary

Context

Go SSH Agent Message Size Validation Vulnerability Leading to Panic

Vulnerability

A vulnerability exists in the SSH Agent server implementation in the Go programming language's crypto package. This issue arises because the server does not properly validate the size of messages when handling new identity requests. As a result, if a message is malformed, it can cause an out-of-bounds read, leading the program to panic. This vulnerability affects all versions of the golang.org/x/crypto/ssh/agent package prior to 0.45.0.

Impact

Exploitation of this vulnerability causes the Go program to panic, potentially leading to a denial of service.

Remediation

Users can upgrade to Go version 0.45.0 or later, where this vulnerability has been fixed.

Added: Nov 19, 2025, 9:20 PM

Updated: Nov 19, 2025, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Go SSH Agent Message Size Validation Vulnerability Leading to Panic

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating