Update golang.org/x/crypto to address security vulnerabilities

[sebrandon1]

⚠️ Outdated golang.org/x/crypto Dependency

This repository is currently using golang.org/x/crypto v0.33.1 but the latest version is v0.48.0.

Last scanned: 2026-02-18 06:51 UTC

Why Update?

Keeping cryptographic dependencies up-to-date is critical for security. Newer versions often include fixes for known vulnerabilities.

🔒 Security Vulnerabilities Fixed in Newer Versions

The following CVEs have been addressed in versions after v0.33.1:

• CVE-2025-22869 (HIGH): golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange - Fixed in 0.35.0 (details)
• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

📋 How to Update

Run the following command to update:

go get golang.org/x/crypto@v0.48.0
go mod tidy

Then run your tests and submit a PR with the changes.

🔗 Central Tracking

This issue is part of an organization-wide effort to keep golang.org/x/crypto dependencies up-to-date.

See the central tracking issue for a full overview: redhat-best-practices-for-k8s/telco-bot#59

---

This issue is automatically managed by the xcrypto-lookup.sh scanner.

[sebrandon1]

⚠️ Reopened: This repository is now using golang.org/x/crypto v0.33.1, which is outdated. The latest version is v0.46.0.

Security Vulnerabilities to Address

• CVE-2025-22869 (HIGH): golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange - Fixed in 0.35.0 (details)
• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

Central tracking: redhat-best-practices-for-k8s/telco-bot#59

---

Automatically reopened by xcrypto-lookup.sh

[sebrandon1]

⚠️ Reopened: This repository is now using golang.org/x/crypto v0.33.1, which is outdated. The latest version is v0.47.0.

Security Vulnerabilities to Address

• CVE-2025-22869 (HIGH): golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange - Fixed in 0.35.0 (details)
• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

Central tracking: redhat-best-practices-for-k8s/telco-bot#59

---

Automatically reopened by xcrypto-lookup.sh

[sebrandon1]

⚠️ Reopened: This repository is now using golang.org/x/crypto v0.33.1, which is outdated. The latest version is v0.47.0.

Security Vulnerabilities to Address

• CVE-2025-22869 (HIGH): golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange - Fixed in 0.35.0 (details)
• CVE-2025-47914 (MODERATE): golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read - Fixed in 0.45.0 (details)
• CVE-2025-58181 (MODERATE): golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption - Fixed in 0.45.0 (details)

Central tracking: redhat-best-practices-for-k8s/telco-bot#59

---

Automatically reopened by xcrypto-lookup.sh