CVE-2025-22869

CVE-2025-22869 is a denial-of-service vulnerability in SSH servers that implement file transfer protocols. The issue arises when clients complete the key exchange slowly or not at all, causing the server to read pending content into memory without ever transmitting it. This leads to potential resource exhaustion, mapped to CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability is tied to Go's SSH implementation, as evidenced by related development references.

An unauthenticated network attacker can exploit this vulnerability with low complexity and no user interaction required. By initiating SSH connections for file transfer and deliberately delaying or omitting key exchange completion, the attacker causes the server to accumulate untransmitted data in memory, resulting in denial of service through high availability impact. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Mitigation details are provided in Go's vulnerability advisory GO-2025-3487 at https://pkg.go.dev/vuln/GO-2025-3487, with associated code changes at https://go.dev/cl/652135 and issue discussion at https://go.dev/issue/71931. NetApp advisory NTAP-20250411-0010 at https://security.netapp.com/advisory/ntap-20250411-0010/ addresses impacts on their products.