CVE-2025-22869

NameCVE-2025-22869
DescriptionSSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1098968

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-go.crypto (PTS)bullseye1:0.0~git20201221.eec23a3-1vulnerable
bookworm1:0.4.0-1vulnerable
sid, trixie1:0.25.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-go.cryptosource(unstable)(unfixed)1098968

Notes

[bookworm] - golang-go.crypto <no-dsa> (Minor issue)
[bullseye] - golang-go.crypto <ignored> (Minor issue; DoS)
https://github.com/golang/go/issues/71931
https://go-review.googlesource.com/c/crypto/+/652135
https://pkg.go.dev/vuln/GO-2025-3487
Search for package or bug name: Reporting problems