CVE-2025-58181: 
cAdvisor Analisi e mitigazione delle vulnerabilità

CVE-2025-58181 is a security vulnerability affecting SSH servers that parse GSSAPI authentication requests. The vulnerability was discovered and disclosed on November 19, 2025, affecting the golang.org/x/crypto/ssh package. The issue stems from SSH servers not validating the number of mechanisms specified in GSSAPI authentication requests (Go Project, NVD).

The vulnerability occurs when SSH servers process GSSAPI authentication requests without proper validation of the mechanism count specified in the request. This oversight allows potential attackers to manipulate the request in a way that leads to unbounded memory consumption. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The primary impact of this vulnerability is on system availability through unbounded memory consumption. When exploited, an attacker can cause the affected SSH server to allocate excessive amounts of memory, potentially leading to resource exhaustion and degraded system performance (Go Project).

The vulnerability has been fixed in golang.org/x/crypto version v0.45.0. Users are advised to upgrade to this version or later to address the security issue. The fix was implemented to properly validate the number of mechanisms specified in GSSAPI authentication requests (Go Project).

The vulnerability was responsibly disclosed and reported by security researcher Jakub Ciolek. The Go Security team promptly addressed the issue by releasing a security update (Go Project).