Report ID
GO-2026-5023
Suggestion/Comment
Please update the affected range - v0.43.0 → v0.51.0
- The vulnerable code is the VerifiedPublicKeyCallback path. It was
added by commit 2beaa59 ("ssh: add VerifiedPublicKeyCallback",
CL 636335). Despite the author date of 2024-12-15, it actually landed
(committer date) 2025-09-27.
- Grepping upstream ssh/server.go at each release: v0.31.0–v0.42.0 =
absent, v0.43.0 = present (and every release after). So v0.43.0 is the
first release exposing the bug.
- Counting checkSourceAddress occurrences (1 definition + N call sites):
v0.43.0–v0.51.0 = 2 (one call site → only PublicKeyCallback validated →
vulnerable), v0.52.0 = 3 (second call site after
VerifiedPublicKeyCallback → fixed).
- GitHub compare confirms the fix commit 533fb3f is an ancestor of
v0.52.0 (ahead_by: 0), so the fix shipped in v0.52.0.
Report ID
GO-2026-5023
Suggestion/Comment
Please update the affected range - v0.43.0 → v0.51.0
added by commit 2beaa59 ("ssh: add VerifiedPublicKeyCallback",
CL 636335). Despite the author date of 2024-12-15, it actually landed
(committer date) 2025-09-27.
absent, v0.43.0 = present (and every release after). So v0.43.0 is the
first release exposing the bug.
v0.43.0–v0.51.0 = 2 (one call site → only PublicKeyCallback validated →
vulnerable), v0.52.0 = 3 (second call site after
VerifiedPublicKeyCallback → fixed).
v0.52.0 (ahead_by: 0), so the fix shipped in v0.52.0.