CVE-2025-47913: 
Packer Schwachstellenanalyse und -minderung

CVE-2025-47913 is a vulnerability discovered in the golang.org/x/crypto SSH client implementation. The vulnerability was disclosed on November 13, 2025, affecting SSH clients that receive SSHAGENTSUCCESS when expecting a typed response, causing a panic and early termination of the client process (NVD, Ubuntu).

The vulnerability exists in golang.org/x/crypto versions prior to v0.43.0. When the unmarshal layer converts 0x06 (SSHAGENTSUCCESS) into a successAgentMsg, the client methods only handle specific success types or failureAgentMsg. Any other type results in a panic with 'unreachable' error. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Go Issue).

The vulnerability allows a malicious or buggy agent to terminate the client process with a single, well-formed one-byte reply. This affects multiple functions including List(), Signers(), and Sign() operations, leading to denial of service through client process termination (Go Issue).

The vulnerability has been fixed in golang.org/x/crypto version 0.43.0. Users are advised to upgrade to this version or later to mitigate the issue (GitHub Advisory).