seclog: please fix vulnerability like CVE-2025-22868, CVE-2025-22869, CVE-2024-45337 #5225
Description
Summary
We found the following vulnerability even in the latest version 3.21.
CVE-2025-22868 (Go oauth2 package DoS vulnerability):
https://nvd.nist.gov/vuln/detail/CVE-2025-22868
CVE-2025-22869 (Go crypto/ssh DoS vulnerability in file transfer protocols):
https://nvd.nist.gov/vuln/detail/CVE-2025-22869
CVE-2024-45337 (Go crypto/ssh authorization bypass vulnerability):
https://nvd.nist.gov/vuln/detail/CVE-2024-45337
Details
Here are the solutions for the three vulnerabilities:
CVE-2025-22868 (Go oauth2 package DoS vulnerability):
The vulnerability in the golang.org/x/oauth2 package allows a maliciously crafted token to cause denial of service due to excessive memory consumption.
The fix is to upgrade the golang.org/x/oauth2 package to version v0.27.0 or later, which includes a patch to safely handle token parsing.
Apply this upgrade in your project dependencies and rebuild/redeploy any applications using this package to mitigate the DoS risk.
CVE-2025-22869 (Go crypto/ssh DoS vulnerability in file transfer protocols):
This vulnerability affects the crypto/ssh package, specifically SCP and SFTP protocols, causing Denial of Service via crafted requests.
Upgrade your Go environment to version 1.25.2, 1.26.1 or later where this issue is fixed.
Additionally, if using Linux distributions or vendor packages, apply relevant security patches they provide.
Monitoring resource usage during SSH file transfers is recommended as an interim mitigation.
CVE-2024-45337 (Go crypto/ssh authorization bypass vulnerability):
This critical authorization bypass flaw in the crypto/ssh package is fixed in Go versions 1.24.6, 1.25.8, and later.
Upgrade your Go runtime environment or crypto/ssh dependency accordingly.
Verify strict SSH authorization configuration in your applications for additional security.
Apply vendor patches where applicable.
Summary:
For all three issues, the primary solution is upgrading the relevant Go packages or the Go runtime itself to secure patched versions:
golang.org/x/oauth2 to v0.27.0+ for CVE-2025-22868,
Go 1.25.2 / 1.26.1+ for CVE-2025-22869,
Go 1.24.6 / 1.25.8+ for CVE-2024-45337.
Ensure you test and deploy updated versions promptly to protect your applications against DoS and authorization bypass risks related to these Go vulnerabilities.
References: Official NVD records and Go release notes
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
What kind of vulnerability is it? Who is impacted?
Remediation
Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue.