Skip to content

fix: patch CVE-2025-58183 in golang stdlib#1968

Closed
shibd wants to merge 1 commit intomasterfrom
fix/cve-2025-58183
Closed

fix: patch CVE-2025-58183 in golang stdlib#1968
shibd wants to merge 1 commit intomasterfrom
fix/cve-2025-58183

Conversation

@shibd
Copy link
Member

@shibd shibd commented Jan 16, 2026

Summary

Fix CVE-2025-58183: Unbounded allocation when parsing GNU sparse map in Go's archive/tar package

CVE Details

How the CVE Was Introduced

The vulnerable stdlib@v1.25.0 was introduced through the Go version specified in pulsarctl/go.mod:

  • Line 3: go 1.25.0 specified the minimum Go version required
  • When pulsarctl is built using make pulsarctl, it uses the system's Go compiler
  • The resulting binary includes the Go stdlib from version 1.25.0
  • This binary is then included in the sn-platform-slim container image at /pulsar/bin/pulsarctl

The pulsarctl binary is a Go-based CLI tool built with Go 1.25.0, which includes the vulnerable stdlib. The vulnerability exists in the archive/tar package which handles tar archive parsing.

Why This Fix Resolves the CVE

Upgrading from Go 1.25.0 to Go 1.25.2 patches the CVE by:

  1. The Go 1.25.2 release includes a fix for CVE-2025-58183
  2. The fix adds proper bounds checking when parsing GNU sparse map entries in tar files
  3. When pulsarctl is rebuilt with Go 1.25.2, the binary will include the patched stdlib
  4. The vulnerability is eliminated without any code changes required in pulsarctl itself

This is a pure dependency version update - no pulsarctl code changes are needed. The fix is inherited from the upstream Go release.

Changes Made

  • Updated go.mod line 3 from go 1.25.0 to go 1.25.2
  • When pulsarctl is rebuilt with this change, it will use Go 1.25.2+ stdlib
  • The new binary will be included in subsequent sn-platform-slim image builds

Verification

After this PR is merged:

  1. Pulsarctl should be rebuilt with Go 1.25.2 or later
  2. The resulting binary will have the patched stdlib
  3. CVE scanners should no longer report this vulnerability for pulsarctl
  4. No functional changes to pulsarctl behavior - this is a security patch only

References

Related Previous CVE Fixes (For Reference)

These previous fixes followed the same pattern: update the Go version in pulsarctl's go.mod to patch stdlib vulnerabilities.

@shibd
fix: patch CVE-2025-58183 in golang stdlib
d26a6d1 
- Update go.mod from go 1.25.0 to go 1.25.2
- Fix CVE-2025-58183: Unbounded allocation when parsing GNU sparse map in archive/tar

CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-58183
Severity: HIGH
Affected: stdlib@v1.25.0 in pulsarctl binary
Fixed Version: 1.25.2

The vulnerability in Go's stdlib archive/tar package allows unbounded memory
allocation when parsing GNU tar pax 1.0 sparse files. By upgrading to Go 1.25.2,
this vulnerability is resolved.

Related: streamnative/eng-support-tickets#3615
@github-actions
Copy link

github-actions bot commented Jan 16, 2026

@shibd:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions bot added the doc-info-missing This pr needs to mark a document option in description label Jan 16, 2026
@shibd shibd closed this Jan 16, 2026
@shibd shibd mentioned this pull request Jan 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

@zymap zymap Awaiting requested review from zymap zymap is a code owner

@nlu90 nlu90 Awaiting requested review from nlu90 nlu90 is a code owner

Assignees

@shibd shibd

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shibd