CVE-2025-22869 – SSH servers implementing file transfer protocol... (How to Fix)

Q: What is the severity of CVE-2025-22869?

CVE-2025-22869 has a CVSS score of 7.5 (HIGH). SSH servers implementing file transfer protocols (like SFTP/SCP) are vulnerable to a resource exhaustion denial-of-service attack. Malicious clients can initiate connections but complete key exchange slowly or not at all, causing servers to accumulate pending content in memory without transmission. This affects any SSH server using vulnerable implementations, particularly those written in Go.

📋 TL;DR

SSH servers implementing file transfer protocols (like SFTP/SCP) are vulnerable to a resource exhaustion denial-of-service attack. Malicious clients can initiate connections but complete key exchange slowly or not at all, causing servers to accumulate pending content in memory without transmission. This affects any SSH server using vulnerable implementations, particularly those written in Go.

💻 Affected Systems

Products:

Go SSH server implementations
Applications using golang.org/x/crypto/ssh package
NetApp products using vulnerable Go SSH libraries

Versions: Go versions with vulnerable golang.org/x/crypto/ssh package (specific versions in GO-2025-3487 advisory)

Operating Systems: All platforms running affected Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects SSH servers implementing file transfer protocols (SFTP/SCP). Standard SSH shell sessions are not affected.

📦 What is this software?

Ssh by Go

View all CVEs affecting Ssh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained attack could exhaust server memory, causing SSH service crashes and preventing legitimate SSH access, potentially requiring server reboots.

🟠

Likely Case

Degraded SSH performance and intermittent service disruptions for file transfer operations, with possible memory pressure affecting other services on the same host.

🟢

If Mitigated

Minimal impact with proper connection limits and monitoring; isolated to SSH file transfer functionality only.

🌐 Internet-Facing: HIGH - SSH servers exposed to the internet are directly accessible to attackers who can initiate malicious connections without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires no authentication and minimal technical skill - just initiating SSH connections with slow/no key exchange completion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go security update addressing GO-2025-3487 (check specific Go version)

Vendor Advisory: https://pkg.go.dev/vuln/GO-2025-3487

Restart Required: Yes

Instructions:

1. Update Go installation to patched version. 2. Rebuild and redeploy affected SSH server applications. 3. Restart SSH services.

🔧 Temporary Workarounds

Connection Rate Limiting

Linux

Limit simultaneous SSH connections and connection rate using firewall or SSH server configuration

# Example using iptables: iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Disable File Transfer Protocols

all

If not needed, disable SFTP/SCP subsystems in SSH server configuration

# In sshd_config: Subsystem sftp /usr/lib/openssh/sftp-server # Comment out or remove
# Match blocks to restrict file transfer access

🧯 If You Can't Patch

Implement network-level controls: rate limit SSH connections at firewall/load balancer
Monitor SSH server memory usage and restart service if abnormal patterns detected

🔍 How to Verify

Check if Vulnerable:

Check if application uses golang.org/x/crypto/ssh package and version matches affected range in GO-2025-3487

Check Version:

go version

Verify Fix Applied:

Verify Go version is updated and application rebuilt with patched libraries; test SSH file transfer functionality

📡 Detection & Monitoring

Log Indicators:

Multiple SSH connections with incomplete authentication
SSH connections staying in 'key exchange' state for extended periods
Increased memory usage by SSH daemon

Network Indicators:

Unusual number of SSH connections from single sources
SSH connections with abnormal packet timing patterns

SIEM Query:

source="sshd" ("Failed password" OR "Invalid user") | stats count by src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2025-22869

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.22% exploit probability (43.8th percentile)

Published: February 26, 2025

Last Updated: May 1, 2025

🔗 References

https://go.dev/cl/652135 Patch
https://go.dev/issue/71931 Issue Tracking,Patch
https://pkg.go.dev/vuln/GO-2025-3487 Vendor Advisory
https://security.netapp.com/advisory/ntap-20250411-0010/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22869, you might also want to check these: