Fluid Attacks Database

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| =1.25.1-1 \|\| >=0 <1.25.2-1	1.25.2-1
go	stdlib	>=0 <1.24.8	1.24.8
rpm rhel10	bootc-image-builder	-	-
rpm rhel9.6	delve	<0:1.25.2-1.el9_6	0:1.25.2-1.el9_6
rpm rhel9	grafana	<0:10.2.6-17.el9_7	0:10.2.6-17.el9_7
rpm rhel8.4	osbuild-composer	<0:28.7-4.el8_4	0:28.7-4.el8_4
rpm rhel9.6	skopeo	<2:1.18.1-3.el9_6	2:1.18.1-3.el9_6

1-10 of 49

Aliases

1. CVE-2025-581832. NVD-2025-581833. OSV-DEBIAN-2025-581834. OSV-2025-581835. OSV-GO-2025-40146. GCVE-2025-581837. SECURITY-TRACKER-CVE-2025-58183

References

1. https://go.dev/cl/7098612. https://go.dev/issue/756773. https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.