{"id":"UBUNTU-CVE-2025-65637","details":"A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with \"token too long\" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions \u003c 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.","modified":"2026-01-20T20:09:14.062299Z","published":"2025-12-04T19:16:00Z","upstream":["CVE-2025-65637"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-65637"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-65637"},{"type":"REPORT","url":"https://github.com/mjuanxd/logrus-dos-poc"},{"type":"REPORT","url":"https://github.com/sirupsen/logrus/issues/1370"},{"type":"REPORT","url":"https://github.com/sirupsen/logrus/pull/1384"},{"type":"REPORT","url":"https://github.com/sirupsen/logrus/pull/1376"},{"type":"REPORT","url":"https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md"},{"type":"REPORT","url":"https://github.com/sirupsen/logrus/releases/tag/v1.8.3"},{"type":"REPORT","url":"https://github.com/sirupsen/logrus/releases/tag/v1.9.1"},{"type":"REPORT","url":"https://github.com/sirupsen/logrus/releases/tag/v1.9.3"},{"type":"REPORT","url":"https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391"}],"affected":[{"package":{"name":"golang-logrus","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/golang-logrus@0.8.7-3?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.7.3-1","0.7.3-2","0.8.7-1","0.8.7-2","0.8.7-3"],"ecosystem_specific":{"binaries":[{"binary_version":"0.8.7-3","binary_name":"golang-github-sirupsen-logrus-dev"},{"binary_version":"0.8.7-3","binary_name":"golang-logrus-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-65637.json"}},{"package":{"name":"golang-logrus","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/golang-logrus@1.0.2-2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.2-2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.0.2-2","binary_name":"golang-github-sirupsen-logrus-dev"},{"binary_version":"1.0.2-2","binary_name":"golang-logrus-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-65637.json"}},{"package":{"name":"golang-logrus","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/golang-logrus@1.3.0-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.3.0-1","binary_name":"golang-github-sirupsen-logrus-dev"},{"binary_version":"1.3.0-1","binary_name":"golang-logrus-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-65637.json"}},{"package":{"name":"golang-logrus","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-logrus@1.7.0-2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.7.0-2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.7.0-2","binary_name":"golang-github-sirupsen-logrus-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-65637.json"}},{"package":{"name":"golang-logrus","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/golang-logrus@1.9.0-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.9.0-1","binary_name":"golang-github-sirupsen-logrus-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-65637.json"}},{"package":{"name":"golang-logrus","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/golang-logrus@1.9.0-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.9.0-1","binary_name":"golang-github-sirupsen-logrus-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-65637.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}