{"package":"golang.org/x/crypto","ecosystem":"go","latest_version":"v0.50.0","description":"","license":"BSD-3-Clause","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/golang.org/x/crypto","repository":"https://github.com/golang/crypto","downloads_weekly":0,"health":{"score":43,"risk":"high","breakdown":{"maintenance":25,"popularity":0,"security":0,"maturity":12,"community":6},"deprecated":false,"max_score":100},"vulnerabilities":{"count":18,"critical":0,"high":6,"medium":3,"low":9,"details":[{"vuln_id":"CVE-2020-29652","severity":"high","summary":"golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability","affected_versions":"<0.0.0-20201216223049-8b5274cf687f","fixed_version":"0.0.0-20201216223049-8b5274cf687f","source":"osv","published_at":"2022-05-24T22:01:25Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08696,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-48795","severity":"medium","summary":"Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin","affected_versions":"<0.40.2|>=0.1.0,<0.17.0|>=2.5.0,<3.4.0|<0.0.0-20231218163308-9d2ee975ef9f|=2.10.0|=2.10.1|=2.10.2|=2.10.3|=2.10.4|=2.10.5|=2.10.6|=2.11.0|=2.11.1|=2.12.0|=2.5.0|=2.5.1|=2.6.0|=2.7.0|=2.7.1|=2.7.2|=2.8.0|=2.8.1|=2.9.0|=2.9.1|=2.9.2|=2.9.3|=2.9.4|=2.9.5|=3.0.0|=3.1.0|=3.2.0|=3.3.0|=3.3.1|=3.3.2","fixed_version":"0.0.0-20231218163308-9d2ee975ef9f","source":"osv","published_at":"2023-12-18T19:22:09Z","in_kev":false,"epss_prob":0.58603,"epss_percentile":0.98222,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2022-27191","severity":"high","summary":"golang.org/x/crypto/ssh Denial of service via crafted Signer","affected_versions":"<0.0.0-20220314234659-1baeb1ce4c0b","fixed_version":"0.0.0-20220314234659-1baeb1ce4c0b","source":"osv","published_at":"2022-03-19T00:01:02Z","in_kev":false,"epss_prob":0.00089,"epss_percentile":0.25137,"threat_tier":"theoretical"},{"vuln_id":"BIT-golang-2020-7919","severity":"high","summary":"Helm uses crypto package vulnerable to panic from malformed X.509 certificate","affected_versions":">=2.0.0,<2.16.8|>=3.0.0,<3.1.0|<0.0.0-20200124225646-8b5121be2f68","fixed_version":"0.0.0-20200124225646-8b5121be2f68","source":"osv","published_at":"2021-06-23T18:02:39Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2020-9283","severity":"high","summary":"Improper Verification of Cryptographic Signature in golang.org/x/crypto","affected_versions":"<0.0.0-20200220183623-bac4c82f6975","fixed_version":"0.0.0-20200220183623-bac4c82f6975","source":"osv","published_at":"2021-05-18T15:29:31Z","in_kev":false,"epss_prob":0.18682,"epss_percentile":0.95296,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-43565","severity":"high","summary":"x/crypto/ssh vulnerable to panic via malformed packets","affected_versions":"<0.0.0-20211202192323-5770296d904e","fixed_version":"0.0.0-20211202192323-5770296d904e","source":"osv","published_at":"2022-09-07T00:01:52Z","in_kev":false,"epss_prob":0.00015,"epss_percentile":0.03294,"threat_tier":"theoretical"},{"vuln_id":"CVE-2019-11840","severity":"medium","summary":"golang.org/x/crypto/salsa20/salsa uses insufficiently random values","affected_versions":"<0.0.0-20190320223903-b7391e95e576","fixed_version":"0.0.0-20190320223903-b7391e95e576","source":"osv","published_at":"2022-05-24T16:45:25Z","in_kev":false,"epss_prob":0.02086,"epss_percentile":0.8408,"threat_tier":"theoretical"},{"vuln_id":"CVE-2019-11841","severity":"medium","summary":"Golang/x/crypto message forgery vulnerability","affected_versions":"<0.0.0-20190424203555-c05e17bb3b2d","fixed_version":"0.0.0-20190424203555-c05e17bb3b2d","source":"osv","published_at":"2022-05-24T16:46:15Z","in_kev":false,"epss_prob":0.00397,"epss_percentile":0.60567,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-3204","severity":"high","summary":"golang.org/x/crypto/ssh Man-in-the-Middle attack","affected_versions":"<0.0.0-20170330155735-e4e2799dd7aa","fixed_version":"0.0.0-20170330155735-e4e2799dd7aa","source":"osv","published_at":"2023-02-07T22:39:34Z","in_kev":false,"epss_prob":0.00453,"epss_percentile":0.63825,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-9283","severity":"unknown","summary":"Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh","affected_versions":"<0.0.0-20200220183623-bac4c82f6975","fixed_version":"0.0.0-20200220183623-bac4c82f6975","source":"osv","published_at":"2021-04-14T20:04:52Z","in_kev":false,"epss_prob":0.18682,"epss_percentile":0.95296,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-3204","severity":"unknown","summary":"Man-in-the-middle attack in golang.org/x/crypto/ssh","affected_versions":"<0.0.0-20170330155735-e4e2799dd7aa","fixed_version":"0.0.0-20170330155735-e4e2799dd7aa","source":"osv","published_at":"2021-04-14T20:04:52Z","in_kev":false,"epss_prob":0.00453,"epss_percentile":0.63825,"threat_tier":"theoretical"},{"vuln_id":"CVE-2020-29652","severity":"unknown","summary":"Panic on crafted authentication request message in golang.org/x/crypto/ssh","affected_versions":"<0.0.0-20201216223049-8b5274cf687f","fixed_version":"0.0.0-20201216223049-8b5274cf687f","source":"osv","published_at":"2022-02-17T17:35:32Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08696,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-27191","severity":"unknown","summary":"Denial of service via crafted Signer in golang.org/x/crypto/ssh","affected_versions":"<0.0.0-20220314234659-1baeb1ce4c0b","fixed_version":"0.0.0-20220314234659-1baeb1ce4c0b","source":"osv","published_at":"2022-04-25T20:38:40Z","in_kev":false,"epss_prob":0.00089,"epss_percentile":0.25137,"threat_tier":"theoretical"},{"vuln_id":"CVE-2019-11840","severity":"unknown","summary":"Insufficiently random values in golang.org/x/crypto/salsa20","affected_versions":"<0.0.0-20190320223903-b7391e95e576","fixed_version":"0.0.0-20190320223903-b7391e95e576","source":"osv","published_at":"2022-07-01T20:15:25Z","in_kev":false,"epss_prob":0.02086,"epss_percentile":0.8408,"threat_tier":"theoretical"},{"vuln_id":"BIT-golang-2020-7919","severity":"unknown","summary":"Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte","affected_versions":">=1.13.0-0,<1.13.7|<0.0.0-20200124225646-8b5121be2f68","fixed_version":"0.0.0-20200124225646-8b5121be2f68","source":"osv","published_at":"2022-07-06T18:23:48Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2021-43565","severity":"unknown","summary":"Panic on malformed packets in golang.org/x/crypto/ssh","affected_versions":"<0.0.0-20211202192323-5770296d904e","fixed_version":"0.0.0-20211202192323-5770296d904e","source":"osv","published_at":"2022-09-13T03:32:38Z","in_kev":false,"epss_prob":0.00015,"epss_percentile":0.03294,"threat_tier":"theoretical"},{"vuln_id":"CVE-2019-11841","severity":"unknown","summary":"Misleading message verification in golang.org/x/crypto/openpgp/clearsign","affected_versions":"<0.0.0-20190424203555-c05e17bb3b2d","fixed_version":"0.0.0-20190424203555-c05e17bb3b2d","source":"osv","published_at":"2023-08-23T14:38:42Z","in_kev":false,"epss_prob":0.00397,"epss_percentile":0.60567,"threat_tier":"theoretical"},{"vuln_id":"CVE-2022-30636","severity":"unknown","summary":"Limited directory traversal vulnerability on Windows in golang.org/x/crypto","affected_versions":"<0.0.0-20220525230936-793ad666bf5e","fixed_version":"0.0.0-20220525230936-793ad666bf5e","source":"osv","published_at":"2024-07-02T19:27:52Z","in_kev":false,"epss_prob":0.00189,"epss_percentile":0.40488,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":1},"versions":{"latest":"v0.50.0","total_count":50,"recent":["v0.34.0","v0.49.0","v0.14.0","v0.44.0","v0.11.0","v0.1.0","v0.48.0","v0.31.0","v0.32.0","v0.28.0","v0.35.0","v0.13.0","v0.17.0","v0.46.0","v0.29.0","v0.30.0","v0.39.0","v0.38.0","v0.2.0","v0.16.0"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2026-04-09T15:33:22Z","dependencies_count":0,"dependencies":[]},"github_stats":{"stars":3314,"forks":2162,"open_issues":85,"is_archived":false,"pushed_at":"2026-05-01T17:44:37Z","subscribers_count":157},"bundle":null,"typescript":null,"known_issues":{"bugs_count":26,"bugs_severity":{"high":6,"medium":19,"critical":1},"status_breakdown":{"fixed":26},"link":"/api/bugs/go/golang.org/x/crypto?version=v0.50.0","scope":"version","details":[{"title":"golang.org/x/crypto/ssh Man-in-the-Middle attack","severity":"high","status":"fixed","affected_version":null,"fixed_version":"0.0.0-20170330155735-e4e2799dd7aa","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-3204"},{"title":"golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange","severity":"high","status":"fixed","affected_version":null,"fixed_version":"0.35.0","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22869"},{"title":"x/crypto/ssh vulnerable to panic via malformed packets","severity":"high","status":"fixed","affected_version":null,"fixed_version":"0.0.0-20211202192323-5770296d904e","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43565"},{"title":"Improper Verification of Cryptographic Signature in golang.org/x/crypto","severity":"high","status":"fixed","affected_version":null,"fixed_version":"0.0.0-20200220183623-bac4c82f6975","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9283"},{"title":"golang.org/x/crypto/ssh Denial of service via crafted Signer","severity":"high","status":"fixed","affected_version":null,"fixed_version":"0.0.0-20220314234659-1baeb1ce4c0b","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27191"}]},"historical_compromise":null,"recommendation":{"action":"update_required","issues":["Moderate health score (43/100) — verify manually","6 high severity vulnerabilities"],"use_version":"v0.50.0","version_hint":"Update to >= 0.0.0-20220525230936-793ad666bf5e to fix known vulnerabilities","summary":"golang.org/x/crypto@v0.50.0 has vulnerabilities — update to latest"},"version_scoped":null,"_meta":{"endpoint":"check","tier":"full","philosophy":"DepScope is free. Use the cheapest endpoint that answers your real question.","cheaper_alternatives":[{"endpoint":"/api/exists/go/golang.org%2Fx%2Fcrypto","tokens_estimated":12,"use_when":"you only need to know if the package exists (hallucination guard)"},{"endpoint":"/api/health/go/golang.org%2Fx%2Fcrypto","tokens_estimated":80,"use_when":"you only need a 0-100 score for go/no-go (>=70 = safe)"},{"endpoint":"/api/prompt/go/golang.org%2Fx%2Fcrypto","tokens_estimated":280,"use_when":"you want a plain-text LLM-friendly brief instead of JSON"},{"endpoint":"POST /api/check_bulk","tokens_estimated":60,"use_when":"you have 5+ packages to check; sends one round-trip instead of N"}],"docs":"https://depscope.dev/integrate","hint_bulk":"You've called /api/check 44 times in 60s. Save bandwidth + tokens with POST /api/check_bulk (1 round-trip for N pkgs)."},"requested_version":null,"_cache":"miss","_response_ms":1147,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":true,"bus_factor_3m":5,"active_contributors_12m":14,"primary_author_ratio":0.2972972972972973,"owner_account_age_days":4737,"is_archived":false,"stars":3314,"alerts":[]},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"co_used_with":[{"package":"Chitra","occurrences":7},{"package":"acronym","occurrences":7}],"version_history_summary":{"total_versions":21,"first_release_age_days":null,"last_release_days_ago":23,"avg_days_between_releases":null,"release_velocity":"active"}}