CVE-2025-58181: Golang Crypto SSH Server DOS Vulnerability

CVE-2025-58181 Overview

CVE-2025-58181 affects SSH servers built with the golang.org/x/crypto/ssh package. The vulnerability resides in the handling of Generic Security Services Application Program Interface (GSSAPI) authentication requests. The server does not validate the number of mechanisms specified in an incoming request, allowing a remote unauthenticated attacker to trigger unbounded memory consumption. This results in a denial-of-service (DoS) condition against affected SSH services. The flaw is tracked by Go's vulnerability database as GO-2025-4134 and is categorized as [CWE-770]: Allocation of Resources Without Limits or Throttling.

Critical Impact

Remote unauthenticated attackers can exhaust server memory by sending malformed GSSAPI authentication requests, leading to availability loss on SSH services built with golang.org/x/crypto/ssh.

Affected Products

• golang.org/x/crypto/ssh (Go crypto module) — versions prior to the fix in change go.dev/cl/721961
• Any SSH server application built on top of the affected golang.org/x/crypto/ssh package
• Downstream Go projects vendoring the vulnerable ssh subpackage

Discovery Timeline

• 2025-11-19 - CVE-2025-58181 published to the National Vulnerability Database (NVD)
• 2025-12-11 - Last updated in NVD database

Technical Details for CVE-2025-58181

Vulnerability Analysis

The golang.org/x/crypto/ssh server implementation processes SSH user authentication requests defined in RFC 4252. When a client selects the gssapi-with-mic authentication method, the SSH protocol requires the client to send a count field followed by a list of supported GSSAPI Object Identifiers (OIDs). The vulnerable server reads this count and pre-allocates a slice sized according to the attacker-supplied value without sanity checking it against any upper bound or against the actual remaining bytes in the request packet.

Because the count is an attacker-controlled 32-bit integer, a malicious client can declare an extremely large number of mechanisms. The server then attempts to allocate a correspondingly large data structure before parsing the actual OID payload. Repeated or parallel requests amplify memory pressure on the host, causing process termination or system-level resource exhaustion.

The vulnerability requires no authentication. The attack can be issued before any credentials are validated, since GSSAPI mechanism negotiation occurs during the authentication exchange itself.

Root Cause

The root cause is missing input validation on a length-prefixed list during SSH authentication packet parsing. The server trusts the wire-format count instead of bounding the allocation to the size of the remaining packet buffer. This pattern matches [CWE-770], Allocation of Resources Without Limits or Throttling.

Attack Vector

An unauthenticated remote attacker establishes a TCP connection to an SSH server using the vulnerable Go package. The attacker completes the SSH transport-layer handshake and then issues a SSH_MSG_USERAUTH_REQUEST with the method name gssapi-with-mic and a forged mechanism count. The server allocates memory proportional to the declared count, exhausting heap memory and degrading or terminating the service.

The vulnerability is described in prose only; no public proof-of-concept code is available. See the Go.dev Vulnerability Advisory and the Go.dev Change Log Entry for the upstream fix details.

Detection Methods for CVE-2025-58181

Indicators of Compromise

• Abnormal memory growth in processes that embed golang.org/x/crypto/ssh as a server, particularly during the pre-authentication phase.
• SSH server crashes or out-of-memory (OOM) kills logged by the operating system shortly after inbound TCP connections to port 22.
• Repeated short-lived SSH sessions from a single source that disconnect immediately after the authentication banner exchange.

Detection Strategies

• Inventory all Go binaries that import golang.org/x/crypto/ssh using govulncheck or software composition analysis (SCA) tooling to surface vulnerable builds.
• Inspect SSH server logs for repeated gssapi-with-mic authentication attempts from unauthenticated peers, especially when GSSAPI is not in production use.
• Correlate SSH process resource consumption against connection counts to identify allocation anomalies during authentication.

Monitoring Recommendations

• Enable verbose SSH authentication logging and forward events to a centralized analytics platform for baseline comparison.
• Track per-process resident set size (RSS) and heap growth metrics for SSH server workloads.
• Alert on kernel oom-killer events targeting SSH daemons or Go-based network services exposing port 22.

How to Mitigate CVE-2025-58181

Immediate Actions Required

• Upgrade golang.org/x/crypto to a version that contains the fix from change go.dev/cl/721961 and rebuild all affected Go binaries.
• Restart any SSH services that embed the vulnerable package after rebuilding with the patched dependency.
• Restrict inbound SSH exposure to trusted source networks using firewall or security group rules until patching completes.

Patch Information

The Go security team published the fix referenced by GO-2025-4134 in the upstream golang.org/x/crypto repository. Update the module using go get golang.org/x/crypto@latest and confirm the resolved version in go.sum includes the patched commit. Validate the build with govulncheck ./... to ensure no remaining references to vulnerable versions. Consult the Go.dev Vulnerability Advisory for the authoritative fixed version range.

Workarounds

• Disable GSSAPI authentication in the SSH server configuration if the embedding application exposes such a toggle.
• Place affected SSH services behind a reverse proxy or bastion that terminates and inspects authentication requests.
• Apply per-source connection rate limits and concurrent connection caps at the network layer to reduce amplification potential.

# Update the vulnerable module and verify with govulncheck
go get golang.org/x/crypto@latest
go mod tidy
govulncheck ./...