CVE-2025-65637
Description
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Logrus Writer() DoS via single-line payload >64KB without newlines, fixed in versions 1.8.3, 1.9.1, 1.9.3+.
Vulnerability
Description
A denial-of-service vulnerability exists in the github.com/sirupsen/logrus package when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. The internal bufio.Scanner has a default maximum token size of 64KB, and a longer line causes a "token too long" error, which closes the writer pipe and renders Writer() permanently unusable [1][3][4].
Exploitation
Conditions
An attacker can trigger the vulnerability by causing the application to log a payload exceeding 64KB (e.g., 70KB) through Writer(). No authentication is required if the service logs untrusted input. The scanner failure blocks the writing goroutine, leading to application hang and denial of service [4].
Impact
Successful exploitation results in a denial of service: the application becomes unresponsive when attempting to use Writer() after the error. Versions prior to 1.8.3, and versions 1.9.0 and 1.9.2 are affected [3].
Mitigation
The issue is fixed in versions 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and Writer() continues to function even if an error is logged. Users should upgrade to a patched version [1][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sirupsen/logrusGo | < 1.8.3 | 1.8.3 |
github.com/sirupsen/logrusGo | >= 1.9.0, < 1.9.1 | 1.9.1 |
github.com/sirupsen/logrusGo | >= 1.9.2, < 1.9.3 | 1.9.3 |
Affected products
2Patches
16acd90375868Merge pull request #1376 from ozfive/master
1 file changed · +33 −1
writer.go+33 −1 modified@@ -4,6 +4,7 @@ import ( "bufio" "io" "runtime" + "strings" ) // Writer at INFO level. See WriterLevel for details. @@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter { return NewEntry(logger).WriterLevel(level) } +// Writer returns an io.Writer that writes to the logger at the info log level func (entry *Entry) Writer() *io.PipeWriter { return entry.WriterLevel(InfoLevel) } +// WriterLevel returns an io.Writer that writes to the logger at the given log level func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { reader, writer := io.Pipe() var printFunc func(args ...interface{}) + // Determine which log function to use based on the specified log level switch level { case TraceLevel: printFunc = entry.Trace @@ -48,23 +52,51 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { printFunc = entry.Print } + // Start a new goroutine to scan the input and write it to the logger using the specified print function. + // It splits the input into chunks of up to 64KB to avoid buffer overflows. go entry.writerScanner(reader, printFunc) + + // Set a finalizer function to close the writer when it is garbage collected runtime.SetFinalizer(writer, writerFinalizer) return writer } +// writerScanner scans the input from the reader and writes it to the logger func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) { scanner := bufio.NewScanner(reader) + + // Set the buffer size to the maximum token size to avoid buffer overflows + scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize) + + // Define a split function to split the input into chunks of up to 64KB + chunkSize := 64 * 1024 // 64KB + splitFunc := func(data []byte, atEOF bool) (int, []byte, error) { + if len(data) > chunkSize { + return chunkSize, data[:chunkSize], nil + } + + return len(data), data, nil + } + + //Use the custom split function to split the input + scanner.Split(splitFunc) + + // Scan the input and write it to the logger using the specified print function for scanner.Scan() { - printFunc(scanner.Text()) + printFunc(strings.TrimRight(scanner.Text(), "\r\n")) } + + // If there was an error while scanning the input, log an error if err := scanner.Err(); err != nil { entry.Errorf("Error while reading from Writer: %s", err) } + + // Close the reader when we are done reader.Close() } +// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected func writerFinalizer(writer *io.PipeWriter) { writer.Close() }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-4f99-4q7p-p3ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65637ghsaADVISORY
- github.com/mjuanxd/logrus-dos-poc/blob/main/README.mdghsaWEB
- github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7ghsaWEB
- github.com/sirupsen/logrus/issues/1370ghsaWEB
- github.com/sirupsen/logrus/pull/1376ghsaWEB
- github.com/sirupsen/logrus/releases/tag/v1.8.3ghsaWEB
- github.com/sirupsen/logrus/releases/tag/v1.9.1ghsaWEB
- github.com/sirupsen/logrus/releases/tag/v1.9.3ghsaWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391ghsaWEB
News mentions
0No linked articles in our index yet.