Bug 2418900 (CVE-2025-65637) - CVE-2025-65637 github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload
Summary: CVE-2025-65637 github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial...
Keywords:
Status: NEW
Alias: CVE-2025-65637
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2422162 2422163 2422164 2422165 2422166 2422167 2422168 2422169 2422170 2422171 2422172 2422173 2422174 2422175 2422176 2422177 2422178 2422179 2422180 2422181 2422182 2422183 2422184 2422185 2422186 2422187 2422188 2422189 2422190 2422191 2422192 2422193 2422194 2422195 2422196 2422197 2422198 2422199 2422200 2422201 2422202 2422203 2422204 2422205 2422206 2422207 2422208 2422209 2422210
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-04 19:01 UTC by OSIDB Bzimport
Modified: 2025-12-15 11:48 UTC (History)
188 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-04 19:01:18 UTC 
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.
Note You need to log in before you can comment on or make changes to this bug.