Go modules package
github.com/ulikunitz/xz
pkg:golang/github.com/ulikunitz/xz
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58058 | Med | 5.3 | < 0.5.15 | 0.5.15 | Aug 28, 2025 | xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the | |
| CVE-2021-29482 | Hig | 7.5 | < 0.5.8 | 0.5.8 | Apr 28, 2021 | xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can | |
| CVE-2020-16845 | Hig | 7.5 | < 0.5.8 | 0.5.8 | Aug 6, 2020 | Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. |
- affected < 0.5.15fixed 0.5.15
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
- affected < 0.5.8fixed 0.5.8
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can
- affected < 0.5.8fixed 0.5.8
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.