Home

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

PUBLISHED Reserved 2025-08-27 | Published 2025-10-29 | Updated 2025-10-30 | Assigner Go

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

Default status
unaffected

Any version before 1.24.8
affected

1.25.0 (semver) before 1.25.2
affected

Credits

Harshit Gupta (Mr HAX)

References

go.dev/cl/709861

go.dev/issue/75677

groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

pkg.go.dev/vuln/GO-2025-4014

cve.org (CVE-2025-58183)

nvd.nist.gov (CVE-2025-58183)

Download JSON