CVE-2025-65637

HIGH

Turbopuffer Logrus < 1.8.3 - Denial of Service

Title source: rule

Description

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Exploits (2)

github WORKING POC 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-65637

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by mjuanxd · poc

https://github.com/mjuanxd/logrus-dos-poc

View Code ZIP pw:eip

References (8)

[Exploit, Third Party Advisory] https://github.com/mjuanxd/logrus-dos-poc

[Exploit, Third Party Advisory] https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md

[Exploit, Issue Tracking, Patch] https://github.com/sirupsen/logrus/issues/1370

[Issue Tracking, Patch] https://github.com/sirupsen/logrus/pull/1376

[Release Notes] https://github.com/sirupsen/logrus/releases/tag/v1.8.3

[Release Notes] https://github.com/sirupsen/logrus/releases/tag/v1.9.1

[Release Notes] https://github.com/sirupsen/logrus/releases/tag/v1.9.3

[Exploit, Third Party Advisory] https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-400

Status published

Affected Products (4)

turbopuffer/logrus < 1.8.3

turbopuffer/logrus

turbopuffer/logrus

sirupsen/logrus < 1.8.3Go

Timeline

Published Dec 04, 2025

Tracked Since Feb 18, 2026