Bug 2418900 (CVE-2025-65637)

Summary: CVE-2025-65637 github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, aazores, abarbaro, abuckta, adistefa, agarcial, akostadi, akoudelk, alcohan, alebedev, alinfoot, alizardo, amasferr, amctagga, anjoseph, anpicker, anthomas, aoconnor, aprice, asatyam, asegurap, bbrownin, bdettelb, bniver, bparees, carogers, caswilli, ckandaga, cmah, cmyers, crizzo, dbosanac, dfreiber, dhanak, diagrawa, dkuc, dmayorov, dnakabaa, doconnor, drosa, drow, dschmidt, dsimansk, dtrifiro, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, eshamard, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, gtanzill, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jbuscemi, jcammara, jcantril, jchui, jdobes, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmitchel, jmontleo, jneedle, joehler, jolong, jowilson, jprabhak, jpretori, jreimann, jsamir, jschluet, jsherril, juwatts, jvasik, kaycoth, kbempah, kegrant, kgaikwad, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lcouzens, lgamliel, lhh, ljawale, lphiri, luizcosta, lwan, mabashia, manissin, mattdavi, matzew, mbenjamin, mburns, mdessi, mgarciac, mhackett, mhulan, mnovotny, mpierce, mrizzi, mrunge, mskarbek, mstipich, mwringe, nboldt, ngough, nmoumoul, nweather, nyancey, oaljalju, oezr, ometelka, orabin, oramraz, osousa, owatkins, pahickey, pakotvan, pantinor, pbohmill, pbraun, pcattana, pcreech, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rblanco, rbobbitt, rbryant, rchan, rexwhite, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rochandr, rojacob, sabiswas, sakbas, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, solenoci, sostapov, sseago, stcannon, sthirugn, stirabos, syedriko, teagle, tfister, thason, thavo, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vimartin, vkarehfa, vkrizan, vkumar, vmugicag, watson-tool-maintainers, weaton, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial-of-service vulnerability in github.com/sirupsen/logrus occurs when Entry.Writer() processes a single-line payload larger than 64KB with no newline characters. Due to a limitation in Go’s internal bufio.Scanner, the read operation fails with a “token too long” error, causing the underlying writer pipe to close. In affected versions, this leaves the Writer interface unusable and can disrupt logging functionality, potentially degrading application availability.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2422162, 2422163, 2422164, 2422166, 2422168, 2422169, 2422171, 2422172, 2422196, 2422197, 2422198, 2422199, 2422200, 2422201, 2422203, 2422204, 2422205, 2422206, 2422207, 2422208, 2422209, 2422210, 2422165, 2422167, 2422170, 2422173, 2422174, 2422175, 2422176, 2422177, 2422178, 2422179, 2422180, 2422181, 2422182, 2422183, 2422184, 2422185, 2422186, 2422187, 2422188, 2422189, 2422190, 2422191, 2422192, 2422193, 2422194, 2422195, 2422202    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-04 19:01:18 UTC
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Comment 1 errata-xmlrpc 2026-01-12 03:35:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0425 https://access.redhat.com/errata/RHSA-2026:0425

Comment 2 errata-xmlrpc 2026-02-11 09:33:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2519 https://access.redhat.com/errata/RHSA-2026:2519

Comment 3 errata-xmlrpc 2026-02-11 09:41:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2520 https://access.redhat.com/errata/RHSA-2026:2520

Comment 4 errata-xmlrpc 2026-02-12 19:48:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2686 https://access.redhat.com/errata/RHSA-2026:2686

Comment 5 errata-xmlrpc 2026-02-12 19:57:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2688 https://access.redhat.com/errata/RHSA-2026:2688

Comment 6 errata-xmlrpc 2026-02-12 20:03:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2685 https://access.redhat.com/errata/RHSA-2026:2685

Comment 7 errata-xmlrpc 2026-02-12 20:05:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2687 https://access.redhat.com/errata/RHSA-2026:2687

Comment 8 errata-xmlrpc 2026-02-18 10:25:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:2658 https://access.redhat.com/errata/RHSA-2026:2658

Comment 9 errata-xmlrpc 2026-02-18 21:23:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:2670 https://access.redhat.com/errata/RHSA-2026:2670

Comment 10 errata-xmlrpc 2026-02-23 01:32:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:2746 https://access.redhat.com/errata/RHSA-2026:2746

Comment 11 errata-xmlrpc 2026-02-26 11:21:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3428 https://access.redhat.com/errata/RHSA-2026:3428

Comment 12 errata-xmlrpc 2026-02-26 14:46:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:2973 https://access.redhat.com/errata/RHSA-2026:2973

Comment 13 errata-xmlrpc 2026-03-12 20:53:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4531 https://access.redhat.com/errata/RHSA-2026:4531

Comment 14 errata-xmlrpc 2026-03-12 20:57:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4532 https://access.redhat.com/errata/RHSA-2026:4532

Comment 15 errata-xmlrpc 2026-03-12 21:30:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:4533 https://access.redhat.com/errata/RHSA-2026:4533

Comment 16 errata-xmlrpc 2026-03-17 06:41:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:4693 https://access.redhat.com/errata/RHSA-2026:4693

Comment 17 errata-xmlrpc 2026-03-19 05:52:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:4418 https://access.redhat.com/errata/RHSA-2026:4418

Comment 18 errata-xmlrpc 2026-03-19 14:08:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:4580 https://access.redhat.com/errata/RHSA-2026:4580

Comment 19 errata-xmlrpc 2026-03-30 16:00:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:6191 https://access.redhat.com/errata/RHSA-2026:6191

Comment 20 errata-xmlrpc 2026-04-15 15:21:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:8325 https://access.redhat.com/errata/RHSA-2026:8325

Comment 21 errata-xmlrpc 2026-04-16 10:28:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:7238 https://access.redhat.com/errata/RHSA-2026:7238

Comment 23 errata-xmlrpc 2026-04-27 02:05:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:10703 https://access.redhat.com/errata/RHSA-2026:10703

Comment 24 errata-xmlrpc 2026-04-29 04:15:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Services on OpenShift 18.0

Via RHSA-2026:7885 https://access.redhat.com/errata/RHSA-2026:7885

Comment 25 errata-xmlrpc 2026-04-29 15:50:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:11804 https://access.redhat.com/errata/RHSA-2026:11804

Comment 27 errata-xmlrpc 2026-05-06 11:20:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:13971 https://access.redhat.com/errata/RHSA-2026:13971

Comment 28 errata-xmlrpc 2026-05-08 21:05:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:12273 https://access.redhat.com/errata/RHSA-2026:12273

Comment 29 errata-xmlrpc 2026-05-11 07:05:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:15940 https://access.redhat.com/errata/RHSA-2026:15940

Comment 30 errata-xmlrpc 2026-05-11 07:10:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:15941 https://access.redhat.com/errata/RHSA-2026:15941