SSH Agent Panic

MEDIUM (5.3) Patch Available Patch Patch
cwe-125apachedenial-of-servicegorcesshvulnerability

Threat Intelligence

Medium Risk - Detectable
EPSS Score: 0.05% chance of exploitation (percentile: 16%)
🔍 Detection Tools: OSV.dev
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The SSH Agent is a component of the OpenSSH server that handles user authentication. When processing new identity requests, it does not validate the size of messages, which can cause a panic if the message is malformed due to an out-of-bounds read.

This vulnerability poses a significant risk as it allows attackers to potentially crash the SSH server, leading to a denial-of-service (DoS) attack or even arbitrary code execution. The impact is particularly concerning for organizations that rely on SSH for secure remote access.

Am I affected?

You're affected if you use golang.org/x/crypto/ssh/agent before v0.45.0. To check, run the following command:

go env -o

This will display your Go environment variables, including the version of the x/crypto package.

Note: This is a niche software, and if you don't recognize "golang.org/x/crypto" or "ssh/agent", you're probably not affected. SSH Agent is an internal component of OpenSSH, so it's unlikely that other packages use this exact name.

Affected Packages

go: github.com/stretchr/testify

Affected Products

golang.org / SSH Agent

How to fix

To fix the vulnerability, upgrade to Go version 0.45.0 or later. You can download the latest version from the official Go website: https://go.dev/dl/

Immediate mitigations:

  • Restrict network access to your SSH server (firewall it from the public internet)
  • Audit SSH server logs for suspicious activity patterns
  • Monitor for unauthorized connection attempts

References