Cyber Resilience

CVE-2025-22869

HighDDoS

Published: 26 February 2025

Published
26 February 2025
Modified
01 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0059 69.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22869 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Go Ssh. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-22869 is a denial-of-service vulnerability in SSH servers that implement file transfer protocols. The issue arises when clients complete the key exchange slowly or not at all, causing the server to read pending content into memory without ever transmitting it. This leads to potential resource exhaustion, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability is tied to Go's SSH implementation, as evidenced by related development references.

An unauthenticated network attacker can exploit this vulnerability with low complexity and no user interaction required. By initiating SSH connections for file transfer and deliberately delaying or omitting key exchange completion, the attacker causes the server to accumulate untransmitted data in memory, resulting in denial of service through high availability impact. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Mitigation details are provided in Go's vulnerability advisory GO-2025-3487 at https://pkg.go.dev/vuln/GO-2025-3487, with associated code changes at https://go.dev/cl/652135 and issue discussion at https://go.dev/issue/71931. NetApp advisory NTAP-20250411-0010 at https://security.netapp.com/advisory/ntap-20250411-0010/ addresses impacts on their products.

EU & UK References

Vulnerability details

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a DoS vulnerability in SSH servers exploitable via incomplete key exchanges causing resource exhaustion, directly enabling Endpoint Denial of Service through application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22868Same vendor: Go
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770

Affected Assets

go
ssh
≤ 0.35.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in Go's SSH implementation causing unbounded memory allocation from stalled key exchanges during file transfer, as addressed in the vulnerability advisory and code changes.

prevent

Provides denial-of-service protections that limit the effects of resource exhaustion attacks exploiting slow or incomplete SSH key exchanges.

prevent

Ensures availability of memory resources by preventing unauthorized depletion from pending untransmitted content in stalled SSH file transfer sessions.

References