CVE-2025-65637 Overview
A denial-of-service vulnerability exists in the popular Go logging library github.com/sirupsen/logrus when using Entry.Writer() to log single-line payloads larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read operation fails with a "token too long" error and the writer pipe is closed, leaving Writer() unusable and causing application unavailability. This vulnerability falls under the Resource Exhaustion category (CWE-400), allowing attackers to render applications unresponsive by sending specially crafted large payloads.
Critical Impact
Applications using Logrus Entry.Writer() can be rendered completely unavailable when processing payloads exceeding 64KB without newlines, as the writer becomes permanently unusable after encountering this condition.
Affected Products
- Turbopuffer Logrus versions < 1.8.3
- Turbopuffer Logrus version 1.9.0
- Turbopuffer Logrus version 1.9.2
Discovery Timeline
- 2025-12-04 - CVE CVE-2025-65637 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-65637
Vulnerability Analysis
This denial-of-service vulnerability stems from how Logrus handles large single-line log entries through its Entry.Writer() function. When an application attempts to log a payload exceeding 64KB (65,536 bytes) that contains no newline characters, the underlying bufio.Scanner encounters its default token size limit and returns a "token too long" error.
The critical issue is not just the initial failure, but that the writer pipe is permanently closed after this error occurs. This means any subsequent attempts to use the same Writer() instance will fail, effectively disabling the logging functionality and potentially causing the entire application to become unavailable if it depends on successful logging operations.
Applications that accept user-controlled input and log it using Entry.Writer() are particularly vulnerable, as an attacker can craft malicious payloads specifically designed to trigger this condition.
Root Cause
The root cause lies in Go's bufio.Scanner default configuration, which has a maximum token size of 64KB. When Entry.Writer() uses bufio.Scanner internally to process incoming data, it expects newline-delimited input. A single line exceeding this limit causes the scanner to fail irrecoverably, and the implementation did not properly handle this edge case, resulting in the writer pipe being closed and becoming permanently unusable.
Attack Vector
This vulnerability is exploitable over the network with low attack complexity and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a specially crafted payload larger than 64KB without any newline characters to an application endpoint that logs the received data using Logrus Entry.Writer().
The attack scenario involves:
- Identifying an application using Logrus that logs user-controllable input via Entry.Writer()
- Crafting a single-line payload exceeding 64KB without newline characters
- Sending this payload to the vulnerable application
- The Logrus writer encounters the "token too long" error and closes the pipe
- The application's logging functionality becomes permanently broken, causing denial of service
For detailed technical information about exploitation, see the GitHub PoC Repository and the README Documentation.
Detection Methods for CVE-2025-65637
Indicators of Compromise
- Application logs containing "token too long" errors from the bufio.Scanner
- Sudden cessation of logging activity following processing of unusually large requests
- Application monitoring alerts indicating logging subsystem failures
Detection Strategies
- Monitor application error logs for "token too long" scanner errors associated with Logrus
- Implement request size monitoring to detect abnormally large single-line payloads approaching or exceeding 64KB
- Deploy Software Composition Analysis (SCA) tools to identify vulnerable Logrus versions in your codebase
Monitoring Recommendations
- Configure alerting for logging subsystem failures or unexpected writer pipe closures
- Track request payload sizes at the application boundary to identify potential exploitation attempts
- Establish baseline metrics for logging throughput to detect sudden drops that may indicate DoS conditions
How to Mitigate CVE-2025-65637
Immediate Actions Required
- Update Logrus to a patched version: 1.8.3, 1.9.1, or 1.9.3+
- Audit applications to identify usage of Entry.Writer() with user-controllable input
- Implement input validation to reject or truncate payloads exceeding reasonable size limits before logging
Patch Information
The vulnerability has been fixed in Logrus versions 1.8.3, 1.9.1, and 1.9.3+. The fix implements input chunking, ensuring that the writer continues to function even if an error is logged during processing of large payloads. Review the GitHub Pull Request for implementation details.
Patched releases are available:
For additional vulnerability details, consult the Snyk Vulnerability Report and the GitHub Logrus Issue.
Workarounds
- Implement input validation to ensure logged data does not exceed 64KB without newlines
- Insert artificial newline characters into large payloads before passing them to Entry.Writer()
- Consider using alternative Logrus logging methods that do not utilize Entry.Writer() for handling potentially large payloads
# Update Logrus to patched version using Go modules
go get github.com/sirupsen/logrus@v1.9.3
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
