CVE-2025-58183Allocation of Resources Without Limits or Throttling in Standard Library Archive TAR

CWE-770Allocation of Resources Without Limits or Throttling14 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 96.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library Archive TAR
Timeline
PublishedOct 29
Latest updateNov 5

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5go_standard_library/archive_tar1.25.01.25.2+1

🔴Vulnerability Details

4
GHSA
GHSA-9gcr-gp5f-jw27: tar2025-10-30
CVEList
Unbounded allocation when parsing GNU sparse map in archive/tar2025-10-29
OSV
CVE-2025-58183: tar2025-10-29
OSV
Unbounded allocation when parsing GNU sparse map in archive/tar2025-10-29

📋Vendor Advisories

3
Red Hat
golang: archive/tar: Unbounded allocation when parsing GNU sparse map2025-10-29
Microsoft
Unbounded allocation when parsing GNU sparse map in archive/tar2025-10-14
Debian
CVE-2025-58183: golang-1.15 - tar.Reader does not set a maximum size on the number of sparse region data block...2025

💬Community

6
Bugzilla
CVE-2025-58183 incus: Unbounded allocation when parsing GNU sparse map [fedora-43]2025-11-05
Bugzilla
CVE-2025-58183 trivy: Unbounded allocation when parsing GNU sparse map [fedora-43]2025-11-05
Bugzilla
CVE-2025-58183 docker-distribution: Unbounded allocation when parsing GNU sparse map [fedora-42]2025-11-05
Bugzilla
CVE-2025-58183 incus: Unbounded allocation when parsing GNU sparse map [fedora-42]2025-11-05
Bugzilla
CVE-2025-58183 docker-distribution: Unbounded allocation when parsing GNU sparse map [fedora-43]2025-11-05
CVE-2025-58183 — MEDIUM severity | cvebase