CVE-2025-47914 - Vulnerability Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Golang Subscribe	Crypto Subscribe Ssh Subscribe

Configuration 1 [-]

cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Golang Subscribe	Crypto Subscribe Ssh Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-f6x5-jh6r-wrfv	golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://go.dev/cl/721960
https://go.dev/issue/76364
https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
https://nvd.nist.gov/vuln/detail/CVE-2025-47914
https://pkg.go.dev/vuln/GO-2025-4135
https://www.cve.org/CVERecord?id=CVE-2025-47914

History

Thu, 18 Dec 2025 09:15:00 +0900

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-47914 https://www.cve.org/CVERecord?id=CVE-2025-47914
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 12 Dec 2025 04:45:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:golang:crypto::::::go::*

Fri, 21 Nov 2025 18:30:00 +0900

Type	Values Removed	Values Added
First Time appeared		Golang Golang crypto Golang ssh
Vendors & Products		Golang Golang crypto Golang ssh

Fri, 21 Nov 2025 02:30:00 +0900

Type	Values Removed	Values Added
Title	CVE-2025-47914 in golang.org/x/crypto/ssh/agent	Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

Thu, 20 Nov 2025 06:15:00 +0900

Type	Values Removed	Values Added
Weaknesses		CWE-125
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 20 Nov 2025 05:45:00 +0900

Type	Values Removed	Values Added
Description		SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
Title		CVE-2025-47914 in golang.org/x/crypto/ssh/agent
References		https://go.dev/cl/721960 https://go.dev/issue/76364 https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA https://pkg.go.dev/vuln/GO-2025-4135

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2025-11-19T20:33:43.126Z

Updated: 2025-11-20T17:15:00.344Z

Reserved: 2025-05-13T23:31:29.597Z

Link: CVE-2025-47914

Vulnrichment

Updated: 2025-11-19T20:50:22.359Z

NVD

Status : Analyzed

Published: 2025-11-19T21:15:50.517

Modified: 2025-12-11T19:36:41.373

Link: CVE-2025-47914

Redhat

Severity : Moderate

Publid Date: 2025-11-19T20:33:43Z

Links: CVE-2025-47914 - Bugzilla

OpenCVE Enrichment

Updated: 2025-11-21T18:16:08Z

Weaknesses

CWE-125

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object