What is CVE-2024-45337?

Applications using crypto/ssh's ServerConfig.PublicKeyCallback may incorrectly authorize connections when the callback approves a key but authentication fails, due to a logic flaw in the authentication flow.

How do I fix CVE-2024-45337?

Upgrade Go to 1.22.10+ or 1.23.4+. Review your PublicKeyCallback implementation to ensure it rejects unauthorized keys. Add explicit key allowlist validation inside PublicKeyCallback. Rotate SSH host keys and audit SSH access logs for anomalies. Run static analysis (govulncheck) to detect usage of vulnerable patterns. Pin allowed public keys in your callback rather than relying on post-callback checks.

Which versions are affected by CVE-2024-45337?

Affected: Go < 1.22.10, < 1.23.4. Fixed in: Go 1.22.10+, 1.23.4+.

criticalCVSS 9.1/10·Published: 2024-12-11·Go standard library (crypto/ssh)

How to fix CVE-2024-45337 – Step-by-Step Guide

CVE-2024-45337 addresses a critical vulnerability in Go's `crypto/ssh` package. This flaw, named "Misuse of ServerConfig.PublicKeyCallback," can lead to unauthorized access in Go applications. It's crucial for developers to understand and address this high-severity issue promptly.

CVE ID

CVE-2024-45337

Severity

CRITICAL

CVSS Score

9.1/10

Affected

Go standard library (crypto/ssh)

What is Go crypto/ssh – Misuse of ServerConfig.PublicKeyCallback?

This vulnerability stems from a logic flaw within `crypto/ssh`'s `ServerConfig.PublicKeyCallback`. Applications using this callback may incorrectly authorize SSH connections. Even if the actual authentication fails, a misconfigured or improperly implemented callback could approve a public key, bypassing intended security checks and granting unauthorized access.

Affected Versions

Go < 1.22.10, < 1.23.4

Fixed In

Go 1.22.10+, 1.23.4+

Official References

Impact and Risks for your Infrastructure

The primary impact is an unauthorized SSH authentication bypass in affected Go applications. Attackers can exploit this flaw to authenticate to SSH servers using virtually any public key, gaining unauthorized access to systems. This critical vulnerability (CVSS 9.1) poses a significant risk of data breaches and system compromise.

gosshauth-bypasscritical2024

Step-by-Step Mitigation Guide

To fix CVE-2024-45337, update your Go environment to version 1.22.10 or later, or 1.23.4 or later. Verify the update by checking your Go version (`go version`) to ensure the patched library is in use. This upgrade directly addresses the `PublicKeyCallback` logic flaw, restoring proper SSH authentication security.

1Upgrade Go to 1.22.10+ or 1.23.4+.
2Review your PublicKeyCallback implementation to ensure it rejects unauthorized keys.
3Add explicit key allowlist validation inside PublicKeyCallback.
4Rotate SSH host keys and audit SSH access logs for anomalies.
5Run static analysis (govulncheck) to detect usage of vulnerable patterns.
6Pin allowed public keys in your callback rather than relying on post-callback checks.

Frequently Asked Questions

What is the CVSS score for CVE-2024-45337?▼

CVE-2024-45337 has a CVSS score of 9.1/10 (critical severity). This reflects the most severe potential impact, requiring immediate remediation.

Which versions of Go standard library (crypto/ssh) are affected?▼

Affected: Go < 1.22.10, < 1.23.4. The vulnerability was fixed in: Go 1.22.10+, 1.23.4+.

How long does it take to fix CVE-2024-45337?▼

For most teams: 15–60 minutes to apply the patch, plus 15 minutes of post-patch verification. Complex multi-service environments may require 2–4 hours including staging validation.

Is CVE-2024-45337 being actively exploited?▼

Check the NVD entry and CISA KEV catalog for exploitation status. As a critical-severity vulnerability, treat it as a priority remediation regardless of known exploitation status.

Run Security Check →Browse Runbooks →← All CVE Solutions

This CVE fix guide is based on publicly available security advisories (NVD, vendor bulletins). Always test changes in a staging environment before applying to production. Verify against the official vendor advisory for the most up-to-date guidance.