{"id":"CVE-2025-47914","summary":"Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent","details":"SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.","aliases":["GHSA-f6x5-jh6r-wrfv","GO-2025-4135"],"modified":"2026-05-22T03:55:03.407177654Z","published":"2025-11-19T20:33:43.126Z","related":["CGA-g95w-h5g8-rhqq","SUSE-SU-2025:4526-1","SUSE-SU-2025:4536-1","SUSE-SU-2026:0014-1","SUSE-SU-2026:0067-1","SUSE-SU-2026:0125-1","SUSE-SU-2026:0439-1","SUSE-SU-2026:20035-1","SUSE-SU-2026:20123-1","SUSE-SU-2026:20176-1","SUSE-SU-2026:20244-1","SUSE-SU-2026:20357-1","SUSE-SU-2026:20451-1","SUSE-SU-2026:20626-1","SUSE-SU-2026:20641-1","SUSE-SU-2026:20656-1","SUSE-SU-2026:20949-1","SUSE-SU-2026:20976-1","SUSE-SU-2026:21291-1","openSUSE-RU-2026:20010-1","openSUSE-SU-2025:15771-1","openSUSE-SU-2025:15773-1","openSUSE-SU-2025:15852-1","openSUSE-SU-2025:20143-1","openSUSE-SU-2025:20177-1","openSUSE-SU-2026:10013-1","openSUSE-SU-2026:10042-1","openSUSE-SU-2026:10302-1","openSUSE-SU-2026:20080-1","openSUSE-SU-2026:20132-1","openSUSE-SU-2026:20305-1","openSUSE-SU-2026:20438-1","openSUSE-SU-2026:20730-1"],"database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"0.45.0"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47914.json","cna_assigner":"Go"},"references":[{"type":"WEB","url":"https://go.dev/cl/721960"},{"type":"WEB","url":"https://go.dev/issue/76364"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA"},{"type":"WEB","url":"https://pkg.go.dev"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-4135"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47914.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47914"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang/crypto","events":[{"introduced":"0"},{"fixed":"4e0068c0098be10d7025c99ab7c50ce454c1f0f9"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"0.45.0"}],"cpe":"cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*"}}],"versions":["v0.44.0","v0.43.0","v0.42.0","v0.41.0","v0.40.0","v0.39.0","v0.38.0","v0.37.0","v0.36.0","v0.35.0","v0.34.0","v0.33.0","v0.32.0","v0.31.0","v0.30.0","v0.29.0","v0.28.0","v0.27.0","v0.26.0","v0.25.0","v0.24.0","v0.23.0","v0.22.0","v0.21.0","v0.20.0","v0.19.0","v0.18.0","v0.17.0","v0.16.0","v0.15.0","v0.14.0","v0.13.0","v0.12.0","v0.11.0","v0.10.0","v0.9.0","v0.8.0","v0.7.0","v0.6.0","v0.5.0","v0.4.0","v0.3.0","v0.2.0","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-47914.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}