Logrus Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Logrus logging library, specifically in versions prior to 1.8.3, as well as 1.9.0 and 1.9.2. The issue arises when the Entry.Writer() function is used to log a single-line message exceeding 64KB without any newline characters. This situation creates a conflict with the internal bufio.Scanner, which cannot process the oversized token, leading to the closure of the writer pipe. As a result, the Writer() function becomes unusable, causing application downtime.

Impact

Exploitation of this vulnerability causes the application to hang or crash, disrupting normal logging operations and availability.

Reproduction

The vulnerability can be reproduced by logging a single line of text longer than 64KB without including any newline characters. This can be done by piping user-controlled data, such as HTTP headers or the output of a subprocess, into the Logrus Writer.

Remediation

Users can upgrade to Logrus versions 1.8.3, 1.9.1, or 1.9.3 and later, where this vulnerability has been fixed.