[🐸 Frogbot] Update version of golang.org/x/crypto to 0.45.0

[github-actions]

📦 Vulnerable Dependencies

Severity	ID	Contextual Analysis	Direct Dependencies	Impacted Dependency	Fixed Versions
High	CVE-2025-47913	Not Covered	golang.org/x/crypto:v0.37.0 github.com/go-git/go-git/v5:v5.16.0 golang.org/x/net:v0.39.0	golang.org/x/crypto v0.37.0	[0.43.0]

🔖 Details

Vulnerability Details

Jfrog Research Severity:	Low
Contextual Analysis:	Not Covered
Direct Dependencies:	golang.org/x/crypto:v0.37.0, github.com/go-git/go-git/v5:v5.16.0, golang.org/x/net:v0.39.0
Impacted Dependency:	golang.org/x/crypto:v0.37.0
Fixed Versions:	[0.43.0]
CVSS V3:	7.5

Unhandled data type in crypto/ssh may result in client denial of service when connecting to untrusted SSH agents

🔬 JFrog Research Details

Description:
The golang package x/crypto/ssh implements an SSH client and server.
It was found that when a client requests an operation that expects a specific-typed response, the List() and the SignWithFlags() functions will crash if the response included an unexpected data type, such as the SSH_AGENT_SUCCESS (byte 0x06) message.

An example of a vulnerable client:

package main

import (
	"fmt"
	"net"
	"golang.org/x/crypto/ssh/agent"
)

func main() {
	conn, err := net.Dial("tcp", "127.0.0.1:9999")
	if err != nil { panic(err) }
	ag := agent.NewClient(conn)
	fmt.Println("calling List() — expect panic in agent/client.go")
	_, _ = ag.List() // panics: "unreachable"
}

---

🐸 JFrog Frogbot