CVE-2025-65637
Logrus is vulnerable to DoS when using Entry.writerScanner in github.com/sirupsen/logrus
7.5
HIGH
CVSS 3.1
EPSS 0.06%
描述
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.
如何修補 CVE-2025-65637
要修補 CVE-2025-65637,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 1.8.3 或更新版本
- —升級至 1.8.3 或更新版本
CVE-2025-65637 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- from 0
- from 0, < 1.8.3
- from 0, < 1.8.3, >= 1.9.0, < 1.9.1, >= 1.9.2, < 1.9.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |