Golang.org/x/crypto

This hub aggregates every CVE we track for Golang.org/x/crypto, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Golang.org/x/crypto.

• CVE-2025-47914Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent5.3Nov 19, 2025
• CVE-2025-58181Unbounded memory consumption in golang.org/x/crypto/ssh5.3Nov 19, 2025
• CVE-2025-22869Potential denial of service in golang.org/x/crypto7.5Feb 26, 2025
• CVE-2024-45337Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto9.1Dec 11, 2024
• CVE-2023-48795The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (fr...5.9Dec 18, 2023
• CVE-2021-43565The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.7.5Sep 6, 2022
• CVE-2022-27191The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.7.5Mar 18, 2022
• CVE-2020-29652A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.7.5Dec 17, 2020
• CVE-2020-7919Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509...7.5Mar 16, 2020
• CVE-2020-9283golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that acce...7.5Feb 20, 2020
• CVE-2019-11841A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4...5.9May 22, 2019
• CVE-2019-11840An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/...5.9May 9, 2019
• CVE-2017-3204The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostke...8.1Apr 4, 2017