On November 19, 2025, the Golang project published two Common
Vulnerabilities and Exposures (CVEs) affecting the widely-used
golang.org/x/crypto/ssh package.While neither vulnerability
received a critical CVSS score, both presented real risks to
applications using SSH functionality in Go-based containers.
CVE-2025-58181 affects SSH
servers parsing GSSAPI authentication requests.The vulnerability
allows attackers to trigger unbounded memory consumption by
exploiting the server’s failure to validate the number of
mechanisms specified in authentication requests.CVE-2025-47914 impacts SSH Agent servers that