VYPR

Go modules package

github.com/ulikunitz/xz

pkg:golang/github.com/ulikunitz/xz

Vulnerabilities (3)

  • CVE-2025-58058MedAug 28, 2025
    affected < 0.5.15fixed 0.5.15

    xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the

  • CVE-2021-29482HigApr 28, 2021
    affected < 0.5.8fixed 0.5.8

    xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can

  • CVE-2020-16845HigAug 6, 2020
    affected < 0.5.8fixed 0.5.8

    Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.