CVE-2025-58181
CVE-2025-58181 is a medium-severity vulnerability in Golang Crypto with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-770.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 1% (40th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-198228
- Weakness: CWE-770
- Affected product: Golang Crypto
- Published:
- Last modified:
Description
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
Frequently asked questions
- What is CVE-2025-58181?
- SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- How severe is CVE-2025-58181?
- CVE-2025-58181 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
- Is CVE-2025-58181 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (40th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-58181?
- CVE-2025-58181 affects Golang Crypto. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-58181?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-58181 have an EU (EUVD) identifier?
- Yes. CVE-2025-58181 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-198228.
- When was CVE-2025-58181 published?
- CVE-2025-58181 was published on 2025-11-19 and last updated on 2026-06-17.
References
- https://go.dev/cl/721961
- https://go.dev/issue/76363
- https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
- https://pkg.go.dev/vuln/GO-2025-4134
Affected products (1)
- cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*
More vulnerabilities in Golang Crypto
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-42508 — Critical (CVSS 9.1): Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key'…
- CVE-2026-39834 — Critical (CVSS 9.1): When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload…
- CVE-2026-39833 — Critical (CVSS 9.1): The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never…
- CVE-2026-39832 — Critical (CVSS 9.1): When adding a key to a remote agent constraint extensions such as [email protected] were not…
- CVE-2026-39831 — Critical (CVSS 9.1): The Verify() method for FIDO/U2F security key types ([email protected], [email protected])…
All CVEs affecting Golang Crypto →
Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities
- CVE-2026-31283 — Critical (CVSS 9.8): In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email…
- CVE-2020-37067 — Critical (CVSS 9.8): Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers…
- CVE-2021-47875 — Critical (CVSS 9.8): GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the…
- CVE-2025-11832 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access…
- CVE-2024-44241 — Critical (CVSS 9.8): The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia…
- CVE-2022-3439 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
Browse all CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities →