golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Affected Packages

Go golang.org/x/crypto

Affected versions: 0 (fixed in 0.0.0-20200220183623-bac4c82f6975)

Related CVEs

CVE-2020-9283

Key Information

GHSA ID

GHSA-ffhg-7mh4-33c4

Published

May 18, 2021 3:29 PM

Last Modified

February 16, 2023 12:14 AM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

golang.org/x/crypto

GitHub Reviewed

✓ Yes

Dataset

Last updated: October 1, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.