Vulnerability-Lookup

RHSA-2026:2351

Vulnerability from csaf_redhat - Published: 2026-02-09 15:55 - Updated: 2026-02-11 05:31

Summary

Red Hat Security Advisory: VolSync v0.13 security fixes and container updates

Notes

Topic

VolSync v0.13 General Availability release images, which provide enhancements, security fixes, and updated container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.

Details

VolSync v0.13 is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data. For more information about VolSync, see: https://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/business_continuity/business-cont-overview#volsync or the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard Create KEV Entry

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "VolSync v0.13 General Availability release images, which provide enhancements, security fixes, and updated container images.\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "VolSync v0.13 is a Kubernetes operator that enables asynchronous\nreplication of persistent volumes within a cluster, or across clusters. After\ndeploying the VolSync operator, it can create and maintain copies of your\npersistent data.\n\nFor more information about VolSync, see:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/business_continuity/business-cont-overview#volsync\n\nor the VolSync open source community website at: https://volsync.readthedocs.io/en/stable/.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:2351",
        "url": "https://access.redhat.com/errata/RHSA-2026:2351"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-47907",
        "url": "https://access.redhat.com/security/cve/CVE-2025-47907"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-58183",
        "url": "https://access.redhat.com/security/cve/CVE-2025-58183"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-65637",
        "url": "https://access.redhat.com/security/cve/CVE-2025-65637"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2351.json"
      }
    ],
    "title": "Red Hat Security Advisory: VolSync v0.13 security fixes and container updates",
    "tracking": {
      "current_release_date": "2026-02-11T05:31:04+00:00",
      "generator": {
        "date": "2026-02-11T05:31:04+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2026:2351",
      "initial_release_date": "2026-02-09T15:55:39+00:00",
      "revision_history": [
        {
          "date": "2026-02-09T15:55:39+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-02-09T15:55:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-11T05:31:04+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
                "product": {
                  "name": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
                  "product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.14",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:acm:2.14::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Advanced Cluster Management for Kubernetes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
                "product": {
                  "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
                  "product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256%3A8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1770249158"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
                "product": {
                  "name": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
                  "product_id": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-operator-bundle@sha256%3Add464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0?arch=amd64\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1770254182"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
                "product": {
                  "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
                  "product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256%3A08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711?arch=ppc64le\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1770249158"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
                "product": {
                  "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
                  "product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256%3A3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d?arch=s390x\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1770249158"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64",
                "product": {
                  "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64",
                  "product_id": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/volsync-rhel9@sha256%3Aa4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9?arch=arm64\u0026repository_url=registry.redhat.io/rhacm2\u0026tag=1770249158"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.14",
          "product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
        },
        "product_reference": "registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
        "relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.14",
          "product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le"
        },
        "product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
        "relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.14",
          "product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x"
        },
        "product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
        "relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.14",
          "product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64"
        },
        "product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
        "relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.14",
          "product_id": "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
        },
        "product_reference": "registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64",
        "relates_to_product_reference": "Red Hat Advanced Cluster Management for Kubernetes 2.14"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-47907",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2025-08-07T16:01:06.247481+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2387083"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "database/sql: Postgres Scan Race Condition",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability marked as Moderate severity issues rather than Important. The os/exec LookPath flaw requires a misconfigured PATH to be exploitable, and the database/sql race condition primarily impacts applications that cancel queries while running multiple queries concurrently. Both can cause unexpected behavior, but the exploitation scope is limited and unlikely to result in direct compromise in most typical deployments.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
        ],
        "known_not_affected": [
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "RHBZ#2387083",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387083"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-47907",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/693735",
          "url": "https://go.dev/cl/693735"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/74831",
          "url": "https://go.dev/issue/74831"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-3849",
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "release_date": "2025-08-07T15:25:30.704000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-09T15:55:39+00:00",
          "details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes documentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/business_continuity/business-cont-overview#volsync",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2351"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "database/sql: Postgres Scan Race Condition"
    },
    {
      "cve": "CVE-2025-58183",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-10-29T23:01:50.573951+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2407258"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
        ],
        "known_not_affected": [
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-58183"
        },
        {
          "category": "external",
          "summary": "RHBZ#2407258",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/709861",
          "url": "https://go.dev/cl/709861"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/75677",
          "url": "https://go.dev/issue/75677"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2025-4014",
          "url": "https://pkg.go.dev/vuln/GO-2025-4014"
        }
      ],
      "release_date": "2025-10-29T22:10:14.376000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-09T15:55:39+00:00",
          "details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes documentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/business_continuity/business-cont-overview#volsync",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2351"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
    },
    {
      "cve": "CVE-2025-65637",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-12-04T19:00:54.313916+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2418900"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial-of-service vulnerability in github.com/sirupsen/logrus occurs when Entry.Writer() processes a single-line payload larger than 64KB with no newline characters. Due to a limitation in Go\u2019s internal bufio.Scanner, the read operation fails with a \u201ctoken too long\u201d error, causing the underlying writer pipe to close. In affected versions, this leaves the Writer interface unusable and can disrupt logging functionality, potentially degrading application availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is categorized as Moderate because its impact is limited to the logging subsystem and requires a specific, non-default usage pattern to trigger\u2014namely, sending a single unbounded line exceeding 64KB through Entry.Writer(). Most Logrus deployments do not expose this interface directly to attacker-controlled input, which raises the attack complexity and reduces realistic exploitability. Additionally, the flaw does not affect confidentiality or integrity, nor does it allow code execution or privilege escalation. The failure results in a controlled degradation of availability (logging becoming non-functional), rather than a broader application outage or systemic compromise. These constrained conditions and limited real-world impact justify treating the issue as moderate rather than important.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
        ],
        "known_not_affected": [
          "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-65637"
        },
        {
          "category": "external",
          "summary": "RHBZ#2418900",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418900"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-65637",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-65637"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-65637",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65637"
        },
        {
          "category": "external",
          "summary": "https://github.com/mjuanxd/logrus-dos-poc",
          "url": "https://github.com/mjuanxd/logrus-dos-poc"
        },
        {
          "category": "external",
          "summary": "https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md",
          "url": "https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md"
        },
        {
          "category": "external",
          "summary": "https://github.com/sirupsen/logrus/issues/1370",
          "url": "https://github.com/sirupsen/logrus/issues/1370"
        },
        {
          "category": "external",
          "summary": "https://github.com/sirupsen/logrus/pull/1376",
          "url": "https://github.com/sirupsen/logrus/pull/1376"
        },
        {
          "category": "external",
          "summary": "https://github.com/sirupsen/logrus/releases/tag/v1.8.3",
          "url": "https://github.com/sirupsen/logrus/releases/tag/v1.8.3"
        },
        {
          "category": "external",
          "summary": "https://github.com/sirupsen/logrus/releases/tag/v1.9.1",
          "url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.1"
        },
        {
          "category": "external",
          "summary": "https://github.com/sirupsen/logrus/releases/tag/v1.9.3",
          "url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.3"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391",
          "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391"
        }
      ],
      "release_date": "2025-12-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-09T15:55:39+00:00",
          "details": "For more details, see the Red Hat Advanced Cluster Management for Kubernetes documentation:\n\nhttps://docs.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.14/html/business_continuity/business-cont-overview#volsync",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2351"
        },
        {
          "category": "workaround",
          "details": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-operator-bundle@sha256:dd464544e3bd41b77c7042360df3a34b1c31bbdb8c5f8bc6053d7b870184f0b0_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:08252e3e72cfd31212ecfbe0a34ddfe5b6347175a7cc5b44436c4a5af812a711_ppc64le",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:3523735cce4c13604e5cd0420713b5b7cd59ebeb52a2b3f2fb04e722cce6e97d_s390x",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:8ef5a5cf0db239a9633f4b80ca1d81893956678bd808b1aa46950aa0c54041cc_amd64",
            "Red Hat Advanced Cluster Management for Kubernetes 2.14:registry.redhat.io/rhacm2/volsync-rhel9@sha256:a4e6312e2c13ac99b3d5338e722923aad4c6a9993869f918a7be5297afc26cb9_arm64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload"
    }
  ]
}

CVE-2025-65637 (GCVE-0-2025-65637)

Vulnerability from cvelistv5 – Published: 2025-12-04 00:00 – Updated: 2025-12-05 21:52

Summary

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/mjuanxd/logrus-dos-poc
	https://github.com/sirupsen/logrus/issues/1370
	https://github.com/sirupsen/logrus/pull/1376
	https://github.com/sirupsen/logrus/releases/tag/v1.8.3
	https://github.com/sirupsen/logrus/releases/tag/v1.9.1
	https://github.com/sirupsen/logrus/releases/tag/v1.9.3
	https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBC…
	https://github.com/mjuanxd/logrus-dos-poc/blob/ma…

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-65637",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T21:52:30.561592Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T21:52:59.784Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with \"token too long\" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions \u003c 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T18:17:04.939Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/mjuanxd/logrus-dos-poc"
        },
        {
          "url": "https://github.com/sirupsen/logrus/issues/1370"
        },
        {
          "url": "https://github.com/sirupsen/logrus/pull/1376"
        },
        {
          "url": "https://github.com/sirupsen/logrus/releases/tag/v1.8.3"
        },
        {
          "url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.1"
        },
        {
          "url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.3"
        },
        {
          "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391"
        },
        {
          "url": "https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-65637",
    "datePublished": "2025-12-04T00:00:00.000Z",
    "dateReserved": "2025-11-18T00:00:00.000Z",
    "dateUpdated": "2025-12-05T21:52:59.784Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-58183 (GCVE-0-2025-58183)

Vulnerability from cvelistv5 – Published: 2025-10-29 22:10 – Updated: 2025-11-04 21:13

Title

Unbounded allocation when parsing GNU sparse map in archive/tar

Summary

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

References

URL

Tags

	https://go.dev/cl/709861
	https://go.dev/issue/75677
	https://groups.google.com/g/golang-announce/c/4Em…
	https://pkg.go.dev/vuln/GO-2025-4014

Impacted products

	Vendor	Product	Version
	Go standard library	archive/tar	Affected: 0 , < 1.24.8 (semver) Affected: 1.25.0 , < 1.25.2 (semver)

Credits

Harshit Gupta (Mr HAX)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-58183",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T14:22:41.219110Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:37.377Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:13:32.834Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/08/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "archive/tar",
          "product": "archive/tar",
          "programRoutines": [
            {
              "name": "readGNUSparseMap1x0"
            },
            {
              "name": "Reader.Next"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.24.8",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.25.2",
              "status": "affected",
              "version": "1.25.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Harshit Gupta (Mr HAX)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T22:10:14.376Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/709861"
        },
        {
          "url": "https://go.dev/issue/75677"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-4014"
        }
      ],
      "title": "Unbounded allocation when parsing GNU sparse map in archive/tar"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-58183",
    "datePublished": "2025-10-29T22:10:14.376Z",
    "dateReserved": "2025-08-27T14:50:58.691Z",
    "dateUpdated": "2025-11-04T21:13:32.834Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47907 (GCVE-0-2025-47907)

Vulnerability from cvelistv5 – Published: 2025-08-07 15:25 – Updated: 2025-11-04 21:10

Title

Incorrect results returned from Rows.Scan in database/sql

Summary

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

References

URL

Tags

	https://go.dev/cl/693735
	https://go.dev/issue/74831
	https://groups.google.com/g/golang-announce/c/x5M…
	https://pkg.go.dev/vuln/GO-2025-3849

Impacted products

	Vendor	Product	Version
	Go standard library	database/sql	Affected: 0 , < 1.23.12 (semver) Affected: 1.24.0 , < 1.24.6 (semver)

Credits

Spike Curtis from Coder

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-07T15:45:26.297503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-07T15:48:03.634Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:56.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "database/sql",
          "product": "database/sql",
          "programRoutines": [
            {
              "name": "Rows.Scan"
            },
            {
              "name": "Row.Scan"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Spike Curtis from Coder"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-07T15:25:30.704Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/693735"
        },
        {
          "url": "https://go.dev/issue/74831"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "title": "Incorrect results returned from Rows.Scan in database/sql"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47907",
    "datePublished": "2025-08-07T15:25:30.704Z",
    "dateReserved": "2025-05-13T23:31:29.597Z",
    "dateUpdated": "2025-11-04T21:10:56.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:2351

CVE-2025-65637 (GCVE-0-2025-65637)

CVE-2025-58183 (GCVE-0-2025-58183)

CVE-2025-47907 (GCVE-0-2025-47907)

Tags

Sightings

Nomenclature