PT-2025-35145 · Xz +1 · Xz +1
Gregorybuligin
·
Published
2025-08-28
·
Updated
2025-08-29
·
CVE-2025-58058
5.3
Medium
| Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions:
xz versions prior to 0.5.14
Description:
The xz package contains a flaw where data can be prepended to an LZMA-encoded byte stream without detection during header reading. This can lead to excessive memory consumption due to the allocation of a full decoding buffer. The LZMA header lacks a magic number or checksum to identify this issue as per the specification. While the code eventually detects the problem during stream reading, memory has already been allocated at that point. This issue affects software utilizing `lzma.NewReader` or `lzma.ReaderConfig.NewReader`.
Recommendations:
Update to xz version 0.5.14 or later to address this issue.
Fix
Allocation of Resources Without Limits
Weakness Enumeration
Related Identifiers
Affected Products
References · 13
- https://osv.dev/vulnerability/GHSA-jc7w-c686-c4v9 · Vendor Advisory
- https://osv.dev/vulnerability/CVE-2025-58058 · Vendor Advisory
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58058 · Security Note
- https://security-tracker.debian.org/tracker/CVE-2025-58058 · Vendor Advisory
- https://security-tracker.debian.org/tracker/source-package/golang-github-ulikunitz-xz · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-58058 · Security Note
- https://github.com/ulikunitz/xz⭐ 523 🔗 49 · Note
- https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2⭐ 522 🔗 48 · Note
- https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9⭐ 522 🔗 48 · Note
- https://t.me/CVEtracker/31170 · Telegram Post
- https://twitter.com/CVEnew/status/1961282421158215758 · Twitter Post
- https://t.me/cveNotify/133864 · Telegram Post
- https://packages.debian.org/src:golang-github-ulikunitz-xz · Note