CVE-2025-58058
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-28

Last updated on: 2025-08-29

Assigner: GitHub, Inc.

Description
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-28
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ulikunitz xz *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the xz golang package before version 0.5.14. It allows data to be placed in front of an LZMA-encoded byte stream without detection when reading the header. Because the LZMA header lacks a magic number or checksum, the package allocates the full decoding buffer immediately after reading the header, which can lead to increased memory consumption. Although the issue is recognized later during stream reading, the memory allocation has already occurred. This vulnerability was fixed in version 0.5.14.

Impact Analysis

The vulnerability can cause increased memory consumption when processing specially crafted xz-compressed files. This could potentially lead to resource exhaustion or denial of service conditions in applications using vulnerable versions of the xz package.

Mitigation Strategies

Upgrade the xz golang package to version 0.5.14 or later, as this version includes a patch that addresses the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart