Skip to content

Commit eeac2d8

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-4f99-4q7p-p3gh GHSA-4f99-4q7p-p3gh
1 parent 3942060 commit eeac2d8

File tree

2 files changed

+137
-57
lines changed

2 files changed

+137
-57
lines changed

advisories/github-reviewed/2025/12/GHSA-4f99-4q7p-p3gh/GHSA-4f99-4q7p-p3gh.json

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4f99-4q7p-p3gh",
4+
"modified": "2025-12-05T02:27:47Z",
5+
"published": "2025-12-04T21:31:04Z",
6+
"aliases": [
7+
"CVE-2025-65637"
8+
],
9+
"summary": "Logrus is vulnerable to DoS when using Entry.Writer()",
10+
"details": "A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with \"token too long\" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/sirupsen/logrus"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.8.3"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/sirupsen/logrus"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "1.9.0"
48+
},
49+
{
50+
"fixed": "1.9.1"
51+
}
52+
]
53+
}
54+
],
55+
"versions": [
56+
"1.9.0"
57+
]
58+
},
59+
{
60+
"package": {
61+
"ecosystem": "Go",
62+
"name": "github.com/sirupsen/logrus"
63+
},
64+
"ranges": [
65+
{
66+
"type": "ECOSYSTEM",
67+
"events": [
68+
{
69+
"introduced": "1.9.2"
70+
},
71+
{
72+
"fixed": "1.9.3"
73+
}
74+
]
75+
}
76+
],
77+
"versions": [
78+
"1.9.2"
79+
]
80+
}
81+
],
82+
"references": [
83+
{
84+
"type": "ADVISORY",
85+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65637"
86+
},
87+
{
88+
"type": "WEB",
89+
"url": "https://github.com/sirupsen/logrus/issues/1370"
90+
},
91+
{
92+
"type": "WEB",
93+
"url": "https://github.com/sirupsen/logrus/pull/1376"
94+
},
95+
{
96+
"type": "WEB",
97+
"url": "https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7"
98+
},
99+
{
100+
"type": "WEB",
101+
"url": "https://github.com/mjuanxd/logrus-dos-poc"
102+
},
103+
{
104+
"type": "WEB",
105+
"url": "https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md"
106+
},
107+
{
108+
"type": "PACKAGE",
109+
"url": "https://github.com/sirupsen/logrus"
110+
},
111+
{
112+
"type": "WEB",
113+
"url": "https://github.com/sirupsen/logrus/releases/tag/v1.8.3"
114+
},
115+
{
116+
"type": "WEB",
117+
"url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.1"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.3"
122+
},
123+
{
124+
"type": "WEB",
125+
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391"
126+
}
127+
],
128+
"database_specific": {
129+
"cwe_ids": [
130+
"CWE-400"
131+
],
132+
"severity": "HIGH",
133+
"github_reviewed": true,
134+
"github_reviewed_at": "2025-12-05T02:27:47Z",
135+
"nvd_published_at": "2025-12-04T19:16:05Z"
136+
}
137+
}

advisories/unreviewed/2025/12/GHSA-4f99-4q7p-p3gh/GHSA-4f99-4q7p-p3gh.json

Lines changed: 0 additions & 57 deletions
This file was deleted.

0 commit comments

Comments
 (0)