Title: GHSA-hcg3-q754-cr77 in golang.org/x/crypto:v0.32.0

Defect Dojo link: http://localhost:8080/finding/8666 (8666)

Severity: High

Due Date: July 5, 2025

CWE: CWE-1352

CVE: GHSA-hcg3-q754-cr77

CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Product/Engagement/Test: Turnpike / Long-Term Vulnerability Tracking / turnpike-nginx-prometheus (Anchore Grype)

Vulnerable Component: golang.org/x/crypto - v0.32.0

Source File: /nginx-prometheus-exporter/nginx-prometheus-exporter

Description:
*Vulnerability Namespace:* github:language:go
*Vulnerability Description:* golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange
*Related Vulnerability Description:* SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
*Matcher:* go-module-matcher
*Package URL:* pkg:golang/golang.org/x/crypto@v0.32.0

Mitigation:
Upgrade to version: 0.35.0

Impact:
None

References:
*Vulnerability Datasource:* https://github.com/advisories/GHSA-hcg3-q754-cr77
*Related Vulnerability Datasource:* https://nvd.nist.gov/vuln/detail/CVE-2025-22869
*Related Vulnerability URLs:*

• https://go.dev/cl/652135
• https://go.dev/issue/71931
• https://pkg.go.dev/vuln/GO-2025-3487
• https://security.netapp.com/advisory/ntap-20250411-0010/

Reporter: Admin User (admin) (admin@defectdojo.local)