{"id":"GO-2025-4014","summary":"Unbounded allocation when parsing GNU sparse map in archive/tar","details":"tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.","aliases":["BIT-golang-2025-58183","CVE-2025-58183"],"modified":"2026-05-21T10:29:29.571049914Z","published":"2025-10-29T21:51:04Z","related":["CGA-2p9m-qwm8-4pcg","RHSA-2025:21778","RHSA-2025:21779","RHSA-2025:21815","RHSA-2025:21816","RHSA-2025:21856","RHSA-2025:21964","RHSA-2025:22011","RHSA-2025:22012","RHSA-2025:22030","RHSA-2025:22181","RHSA-2025:22255","RHSA-2025:22668","RHSA-2025:22899","RHSA-2025:23001","RHSA-2025:23002","RHSA-2025:23087","RHSA-2025:23088","RHSA-2025:23294","RHSA-2025:23295","RHSA-2025:23325","RHSA-2025:23326","RHSA-2025:23347","RHSA-2025:23348","RHSA-2025:23374","RHSA-2025:23394","RHSA-2025:23733","RHSA-2025:23736","RHSA-2025:23737","RHSA-2025:23740","RHSA-2025:23741","RHSA-2025:23746","RHSA-2025:23747","RHSA-2025:23948","RHSA-2026:0226","RHSA-2026:0227","RHSA-2026:0243","RHSA-2026:0244","RHSA-2026:0245","RHSA-2026:0246","RHSA-2026:0314","RHSA-2026:0424","RHSA-2026:0426","RHSA-2026:0477","RHSA-2026:0973","RHSA-2026:0987","RHSA-2026:1025","RHSA-2026:10703","RHSA-2026:1377","RHSA-2026:1378","RHSA-2026:1379","RHSA-2026:1380","RHSA-2026:1381","RHSA-2026:17446","RHSA-2026:17595","RHSA-2026:1837","RHSA-2026:1838","RHSA-2026:2071","RHSA-2026:2082","RHSA-2026:2711","RHSA-2026:3875","RHSA-2026:4418","RHSA-2026:4464","RHSA-2026:4532","RHSA-2026:4533","RHSA-2026:4693","RHSA-2026:5086","RHSA-2026:5234","RHSA-2026:5866","RHSA-2026:5876","RHSA-2026:6191","RHSA-2026:7291","RHSA-2026:7385","RHSA-2026:8325"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2025-4014"},"references":[{"type":"FIX","url":"https://go.dev/cl/709861"},{"type":"REPORT","url":"https://go.dev/issue/75677"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.8"},{"introduced":"1.25.0"},{"fixed":"1.25.2"}]}],"ecosystem_specific":{"imports":[{"path":"archive/tar","symbols":["Reader.Next","readGNUSparseMap1x0"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-4014.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harshit Gupta (Mr HAX)"}]}