-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGoMiggo AIRoot Cause AnalysisThe vulnerability stemmed from ClientConfig.HostKeyCallback defaulting to nil, which prior to commit e4e2799 meant accepting any host key. The NewClientConn function (called by Dial) contained the critical security check logic. The commit diff shows explicit validation was added to NewClientConn to reject nil HostKeyCallback, confirming these were the entry points for insecure connections. Both functions became safe only after forcing explicit host key verification.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| golang.org/x/crypto | go | < 0.0.0-20170330155735-e4e2799dd7aa | 0.0.0-20170330155735-e4e2799dd7aa |
Ongoing coverage of React2Shell