chore(deps): update module golang.org/x/crypto to v0.45.0 [security]

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
golang.org/x/crypto	indirect	minor	v0.43.0 -> v0.45.0

GitHub Vulnerability Alerts

CVE-2025-58181

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

CVE-2025-47914

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

---

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-47914
• https://go.dev/cl/721960
• https://go.dev/issue/76364
• https://go.googlesource.com/crypto
• https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
• https://pkg.go.dev/vuln/GO-2025-4135

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Unbounded memory consumption in golang.org/x/crypto/ssh

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

Unknown

References

• https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
• https://go.dev/cl/721961
• https://go.dev/issue/76363

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption

CVE-2025-58181 / GHSA-j5w8-q4qc-rx2x / GO-2025-4134

More information

Details

SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-58181
• https://go.dev/cl/721961
• https://go.dev/issue/76363
• https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
• https://pkg.go.dev/vuln/GO-2025-4134

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent

CVE-2025-47914 / GHSA-f6x5-jh6r-wrfv / GO-2025-4135

More information

Details

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Severity

Unknown

References

• https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA
• https://go.dev/cl/721960
• https://go.dev/issue/76364

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[NumaryBot]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
golang.org/x/mod	v0.28.0 -> v0.29.0
golang.org/x/net	v0.45.0 -> v0.47.0
golang.org/x/sys	v0.37.0 -> v0.38.0
golang.org/x/text	v0.30.0 -> v0.31.0
golang.org/x/tools	v0.37.0 -> v0.38.0

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• go.mod is excluded by !**/*.mod
• go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/go-golang.org-x-crypto-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.50%. Comparing base (b2c7e85) to head (ff75467).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #36   +/-   ##
=======================================
  Coverage   60.50%   60.50%           
=======================================
  Files          21       21           
  Lines        1532     1532           
=======================================
  Hits          927      927           
  Misses        457      457           
  Partials      148      148           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.