CVE-2025-58058
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ulikunitz | xz | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the xz golang package before version 0.5.14. It allows data to be placed in front of an LZMA-encoded byte stream without detection when reading the header. Because the LZMA header lacks a magic number or checksum, the package allocates the full decoding buffer immediately after reading the header, which can lead to increased memory consumption. Although the issue is recognized later during stream reading, the memory allocation has already occurred. This vulnerability was fixed in version 0.5.14.
How can this vulnerability impact me? :
The vulnerability can cause increased memory consumption when processing specially crafted xz-compressed files. This could potentially lead to resource exhaustion or denial of service conditions in applications using vulnerable versions of the xz package.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the xz golang package to version 0.5.14 or later, as this version includes a patch that addresses the vulnerability.