OESA-2025-2648

. Security Fix(es): tar.Reader in the Go archive/tar component did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.(CVE-2025-58183) In Go before 1.24.8 and 1.25.x before 1.25.2, when parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.(CVE-2025-58185) In Go before 1.24.8 and 1.25.x before 1.25.2, When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. The impact for this is relatively limited.(CVE-2025-58189) In Go before 1.24.8 and 1.25.x before 1.25.2, The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption.(CVE-2025-61724)