CVE-2025-65637: Logrus DoS Vulnerability – Urgent Patch Required!

Overview

CVE-2025-65637 is a denial-of-service (DoS) vulnerability affecting the popular Go logging library, github.com/sirupsen/logrus. This vulnerability can be exploited by sending a specially crafted log message, leading to application unavailability. Specifically, if you’re using `Entry.Writer()` to log very long single-line messages (larger than 64KB) without newline characters, you are susceptible.

Technical Details

The vulnerability stems from how Logrus handles large log messages when using `Entry.Writer()`. Internally, Logrus utilizes `bufio.Scanner` to read the input. `bufio.Scanner` has a default maximum token size. When a single log line exceeds this size (64KB), the `bufio.Scanner` encounters a “token too long” error. This error causes the writer pipe to be closed. Critically, subsequent calls to `Writer()` on the same `Entry` will fail because the pipe is already closed, effectively preventing further logging and leading to a denial-of-service condition.

This issue affects Logrus versions prior to 1.8.3, 1.9.0, and 1.9.2.

CVSS Analysis

The National Vulnerability Database (NVD) has not yet assigned a CVSS score to CVE-2025-65637. However, given its potential to cause application unavailability, it should be treated as a high-risk vulnerability. While it doesn’t allow for remote code execution or data breaches, the impact on service availability is significant.

Severity: N/A

CVSS Score: N/A

Possible Impact

The primary impact of this vulnerability is application unavailability. An attacker could potentially exploit this vulnerability by flooding the application with oversized log messages, causing the logging mechanism to fail and preventing the application from functioning correctly. This could lead to:

• Service disruption
• Loss of data (due to inability to log critical events)
• Reputational damage

Mitigation or Patch Steps

The recommended mitigation is to upgrade your Logrus dependency to a patched version. The vulnerability has been fixed in the following versions:

• Version 1.8.3 and later
• Version 1.9.1 and later
• Version 1.9.3 and later

These patched versions implement a fix where the input is chunked, and the writer continues to function even if an error is logged.

To update your Logrus dependency using Go modules, run:

go get github.com/sirupsen/logrus@latest

Then, ensure your application rebuilds with the updated dependency.

References

• logrus-dos-poc – Proof of concept for the denial-of-service vulnerability.
• logrus-dos-poc README – Further details about the vulnerability and its exploitation.
• logrus Issue #1370 – Discussion about the vulnerability.
• logrus Pull Request #1376 – The fix implemented to address the vulnerability.
• Logrus Release v1.8.3 – Release containing the fix.
• Logrus Release v1.9.1 – Release containing the fix.
• Logrus Release v1.9.3 – Release containing the fix.
• Snyk Vulnerability Report – Snyk’s report on the vulnerability.