cbcvebase.
CVE-2025-58183
published 2025-10-29

CVE-2025-58183: tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a…

PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCNINAL
EPSS
0.42%
33.7th percentile
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.24 1.24.8-1 (forky)golang-1.24 1.24.8-1 (forky)
debiangolang-1.19< golang-1.24 1.24.8-1 (forky)golang-1.24 1.24.8-1 (forky)
debiangolang-1.24< golang-1.24 1.24.8-1 (forky)golang-1.24 1.24.8-1 (forky)
debiangolang-1.25< golang-1.24 1.24.8-1 (forky)golang-1.24 1.24.8-1 (forky)
github.comopentofu_opentofu>= 0 < 1.10.71.10.7
go_standard_libraryarchive_tar< 1.24.81.24.8
go_standard_libraryarchive_tar>= 1.25.0 < 1.25.21.25.2
msrcazl3_containerized-data-importer_1.57.0-16
msrcazl3_containerized-data-importer_1.57.0-17
msrcazl3_gcc_13.2.0-7
msrcazl3_gh_2.62.0-10
msrcazl3_gh_2.62.0-9
msrcazl3_golang_1.23.12-1
msrcazl3_golang_1.25.3-1
msrcazl3_golang_1.25.5-1
msrcazl3_golang_1.25.6-1
msrcazl3_golang_1.25.7-1
msrcazl3_golang_1.25.8-1
msrcazl3_golang_1.26.0-1
msrcazl3_libcontainers-common_20240213-3
msrcazl3_moby-engine_25.0.3-13
msrcazl3_moby-engine_25.0.3-14
msrcazl3_python-tensorboard_2.16.2-6
msrcazl3_skopeo_1.14.4-6
msrcazl3_skopeo_1.14.4-7

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
ghsa4.3MEDIUM
osv4.3MEDIUM
vendor_msrc5.5MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.