Go Archive/Tar Unbounded Memory Allocation Vulnerability in Sparse Files
Vulnerability
A vulnerability exists in the Go programming language's standard library, specifically in the archive/tar package, prior to version 1.24.8 and between versions 1.25.0 and 1.25.2. The issue arises because the tar.Reader component does not impose a limit on the number of sparse region data blocks when processing GNU tar pax 1.0 sparse files. This lack of restriction can lead to unbounded memory allocation, as a maliciously crafted archive with numerous sparse regions can cause the Reader to consume excessive amounts of data from the archive. The problem is exacerbated when the archive is compressed, as a small compressed input can result in significantly larger memory allocations.
Impact
Exploitation of this vulnerability can lead to excessive memory consumption, potentially causing memory exhaustion issues in applications that process affected tar files.
Remediation
Users can upgrade to Go versions 1.25.2 or 1.24.8, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.