CVE-2025-22869

High

Published: 26 February 2025

Published

26 February 2025

Modified

01 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0059 69.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22869 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Go Ssh. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific flaw in Go's SSH implementation causing unbounded memory allocation from stalled key exchanges during file transfer, as addressed in the vulnerability advisory and code changes.

SC-5 Denial-of-service Protection good match

prevent

Provides denial-of-service protections that limit the effects of resource exhaustion attacks exploiting slow or incomplete SSH key exchanges.

SC-6 Resource Availability good match

prevent

Ensures availability of memory resources by preventing unauthorized depletion from pending untransmitted content in stalled SSH file transfer sessions.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The CVE describes a DoS vulnerability in SSH servers exploitable via incomplete key exchanges causing resource exhaustion, directly enabling Endpoint Denial of Service through application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Deeper analysisAI

CVE-2025-22869 is a denial-of-service vulnerability in SSH servers that implement file transfer protocols. The issue arises when clients complete the key exchange slowly or not at all, causing the server to read pending content into memory without ever transmitting it. This leads to potential resource exhaustion, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability is tied to Go's SSH implementation, as evidenced by related development references.

An unauthenticated network attacker can exploit this vulnerability with low complexity and no user interaction required. By initiating SSH connections for file transfer and deliberately delaying or omitting key exchange completion, the attacker causes the server to accumulate untransmitted data in memory, resulting in denial of service through high availability impact. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Mitigation details are provided in Go's vulnerability advisory GO-2025-3487 at https://pkg.go.dev/vuln/GO-2025-3487, with associated code changes at https://go.dev/cl/652135 and issue discussion at https://go.dev/issue/71931. NetApp advisory NTAP-20250411-0010 at https://security.netapp.com/advisory/ntap-20250411-0010/ addresses impacts on their products.