[🐸 Frogbot] Update version of golang.org/x/crypto to 0.35.0

[github-actions]

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
High	CVE-2025-22869	Missing Context	golang.org/x/net:v0.34.0 github.com/jfrog/jfrog-cli-core/v2:v2.57.7 github.com/jfrog/jfrog-cli-security:v1.14.1 github.com/jfrog/jfrog-client-go:v1.49.1 golang.org/x/crypto:v0.32.0	golang.org/x/crypto v0.32.0	[0.35.0]

🔖 Details

Vulnerability Details

Jfrog Research Severity:	High
Contextual Analysis:	Missing Context
Direct Dependencies:	golang.org/x/net:v0.34.0, github.com/jfrog/jfrog-cli-core/v2:v2.57.7, github.com/jfrog/jfrog-cli-security:v1.14.1, github.com/jfrog/jfrog-client-go:v1.49.1, golang.org/x/crypto:v0.32.0
Impacted Dependency:	golang.org/x/crypto:v0.32.0
Fixed Versions:	[0.35.0]
CVSS V3:	7.5

Unbounded resource consumption in Go's crypto/ssh allows unauthenticated network attackers to cause denial of service.

🔬 JFrog Research Details

Description:
The golang package x/crypto/ssh implements an SSH client and server.

To establish trust between two sides connecting over ssh, the ssh handshake implements a key exchange. During this process each side sends the other an SSH_MSG_KEXINIT packet which initializes the exchange.

Once side A has sent the SSH_MSG_KEXINIT packet, it is open to receiving normal data packets from side B. These packets will be queued, and processed once the key exchange is complete. However, if side B is slow at sending its own SSH_MSG_KEXINIT packet and quick at sending the data packets, or side B is a malicious user that purposefully refrains from sending the SSH_MSG_KEXINIT packet, the data packets could drain side A's memory and potentially cause denial of service from resource consumption.

---

🐸 JFrog Frogbot