[security] Vulnerability in golang.org/x/crypto

[anno...@golang.org]

Hello gophers,

We have tagged version v0.35.0 of golang.org/x/crypto in order to address a security issue.

Version v0.35.0 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which could cause a denial of service.

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Thanks to Yuichi Watanabe for reporting this issue.

This is CVE-2025-22869 and Go issue https://go.dev/issue/71931.

Cheers,
Go Security team