VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 10, 2025· Updated Dec 2, 2025

DoS via Out Of Memory Crash

CVE-2025-11579

Description

github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-11579: rardecode Go library <=2.1.1 lacks dictionary size limits, enabling OOM denial-of-service via crafted RAR files.

Vulnerability

Overview

The Go library github.com/nwaples/rardecode versions up to and including 2.1.1 fails to restrict the dictionary size when processing RAR archives. The library's decompression logic reads the dictionary size from the archive header without validating it against a safe upper bound. An attacker can craft a RAR file with an arbitrarily large dictionary size value, causing the library to attempt allocating an enormous dictionary buffer. This leads to an Out-Of-Memory (OOM) crash, resulting in a Denial of Service (DoS) [1].

Exploitation

Exploitation requires no authentication; the attacker only needs to deliver a specially crafted RAR file to a system using the vulnerable library. The attack surface includes any application that uses rardecode to parse or extract RAR archives, such as file extraction tools or services that accept user-uploaded archives. The library does not validate the dictionary size before allocation, so simply opening the malicious archive triggers the crash [1][2].

Impact

A successful attack causes the application (or the entire process) to run out of memory and terminate, denying service to legitimate users. Since the crash occurs during archive parsing, it can be triggered remotely if the application accepts RAR files from untrusted sources. The vulnerability is classified as a high-severity DoS issue [1].

Mitigation

The vulnerability is fixed in commit 52fb4e825c936636f251f7e7deded39ab11df9a9, which introduces a configurable maximum dictionary size (defaulting to 4 GB) and adds a check to reject archives with dictionary sizes exceeding that limit [2]. Users should update to a version containing this fix (e.g., after commit 52fb4e8) or apply the patch. The Go vulnerability database entry GO-2025-4020 also tracks this issue [4].

References
  1. NVD - CVE-2025-11579
  2. allow max dictionary size to be set, with default now at 4GB · nwaples/rardecode@52fb4e8
  3. GO-2025-4020 - Go Packages

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/nwaples/rardecode/v2Go
< 2.2.02.2.0
github.com/nwaples/rardecodeGo
<= 1.1.3

Affected products

2

Patches

1
52fb4e825c93

allow max dictionary size to be set, with default now at 4GB

https://github.com/nwaples/rardecodeNicholas WaplesSep 28, 2025via ghsa
commit
2 files changed · +23 10
  • reader.go+1 1 modified
    @@ -336,7 +336,7 @@ func (pr *packedFileReader) newArchiveFileFrom(r archiveFile, blocks *fileBlockL
 		if !h.UnKnownSize && h.winSize > h.UnPackedSize {
 			h.winSize = h.UnPackedSize
 		}
-		if h.winSize > maxDictSize {
+		if h.winSize > maxDictSize || h.winSize > pr.opt.maxDictSize {
 			return nil, ErrDictionaryTooLarge
 		}
 		if h.winSize > math.MaxInt {
  • volume.go+22 9 modified
    @@ -21,18 +21,23 @@ var (
 	defaultFS = osFS{}
 )
 
+const (
+	DefaultMaxDictionarySize = 4 << 30 // default max dictionary size of 4GB
+)
+
 type osFS struct{}
 
 func (fs osFS) Open(name string) (fs.File, error) {
 	return os.Open(name)
 }
 
 type options struct {
-	bsize     int     // size to be use for bufio.Reader
-	fs        fs.FS   // filesystem to use to open files
-	pass      *string // password for encrypted volumes
-	skipCheck bool
-	openCheck bool
+	bsize       int     // size to be use for bufio.Reader
+	maxDictSize int64   // max dictionary size
+	fs          fs.FS   // filesystem to use to open files
+	pass        *string // password for encrypted volumes
+	skipCheck   bool
+	openCheck   bool
 }
 
 // An Option is used for optional archive extraction settings.
@@ -43,6 +48,14 @@ func BufferSize(size int) Option {
 	return func(o *options) { o.bsize = size }
 }
 
+// MaxDictionarySize sets the maximum size in bytes of the dictionary used in decoding a file.
+// Any attempt to decode a file with a larger size will return an error.
+// The default size if not set is DefaultMaxDictionarySize.
+// Any size above 64GB will be ignored. Any size below 256kB will prevent any file from being decoded.
+func MaxDictionarySize(size int64) Option {
+	return func(o *options) { o.maxDictSize = size }
+}
+
 // FileSystem sets the fs.FS to be used for opening archive volumes.
 func FileSystem(fs fs.FS) Option {
 	return func(o *options) { o.fs = fs }
@@ -60,7 +73,10 @@ func SkipCheck(o *options) { o.skipCheck = true }
 func OpenFSCheck(o *options) { o.openCheck = true }
 
 func getOptions(opts []Option) *options {
-	opt := &options{}
+	opt := &options{
+		fs:          defaultFS,
+		maxDictSize: DefaultMaxDictionarySize,
+	}
 	for _, f := range opts {
 		f(opt)
 	}
@@ -72,9 +88,6 @@ func getOptions(opts []Option) *options {
 			opt.pass = &pw
 		}
 	}
-	if opt.fs == nil {
-		opt.fs = defaultFS
-	}
 	return opt
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.