Low severity3.3NVD Advisory· Published Jun 16, 2025· Updated Apr 29, 2026

CVE-2025-6140

Description

A vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.2 is able to address this issue. The identifier of the patch is 10320184df1eb4638e253a34b1eb44ce78954094. It is recommended to upgrade the affected component.

Affected products

Gabime/Spdlog
cpe:2.3:a:gabime:spdlog:*:*:*:*:*:*:*:*
Range: <1.15.2

Patches

48bcf39a661a

Version 1.15.2

https://github.com/gabime/spdloggabimeMar 29, 2025via osv

commit

1 file changed · +1 −1

include/spdlog/version.h+1 −1 modified

@@ -5,7 +5,7 @@
 
 #define SPDLOG_VER_MAJOR 1
 #define SPDLOG_VER_MINOR 15
-#define SPDLOG_VER_PATCH 1
+#define SPDLOG_VER_PATCH 2
 
 #define SPDLOG_TO_VERSION(major, minor, patch) (major * 10000 + minor * 100 + patch)
 #define SPDLOG_VERSION SPDLOG_TO_VERSION(SPDLOG_VER_MAJOR, SPDLOG_VER_MINOR, SPDLOG_VER_PATCH)

10320184df1e

Fixed issue #3360 (#3361)

https://github.com/gabime/spdlogGabi MelmanMar 17, 2025via nvd-ref

commit

1 file changed · +5 −3

include/spdlog/pattern_formatter-inl.h+5 −3 modified

@@ -70,6 +70,9 @@ class scoped_padder {
             pad_it(remaining_pad_);
         } else if (padinfo_.truncate_) {
             long new_size = static_cast<long>(dest_.size()) + remaining_pad_;
+            if (new_size < 0) {
+                new_size = 0;
+            }
             dest_.resize(static_cast<size_t>(new_size));
         }
     }
@@ -264,7 +267,7 @@ class D_formatter final : public flag_formatter {
         : flag_formatter(padinfo) {}
 
     void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override {
-        const size_t field_size = 10;
+        const size_t field_size = 8;
         ScopedPadder p(field_size, padinfo_, dest);
 
         fmt_helper::pad2(tm_time.tm_mon + 1, dest);
@@ -926,9 +929,8 @@ class full_formatter final : public flag_formatter {
     memory_buf_t cached_datetime_;
 
 #ifndef SPDLOG_NO_TLS
-    mdc_formatter<null_scoped_padder> mdc_formatter_{padding_info{}};
+    mdc_formatter<null_scoped_padder> mdc_formatter_{padding_info {}};
 #endif
-
 };
 
 }  // namespace details

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094nvdPatch
github.com/gabime/spdlog/issues/3360nvdExploitIssue Tracking
github.com/gabime/spdlog/issues/3360nvdExploitIssue Tracking
vuldb.comnvdThird Party AdvisoryVDB Entry
vuldb.comnvdThird Party AdvisoryVDB Entry
github.com/gabime/spdlog/releases/tag/v1.15.2nvdRelease Notes
vuldb.comnvdPermissions RequiredVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000