Wiz
Vulnerability DatabaseCVE-2025-58058

CVE-2025-58058
Terraform Community vulnerability analysis and mitigation

Overview

CVE-2025-58058 affects the golang github.com/ulikunitz/xz package, specifically versions prior to 0.5.14. The vulnerability was discovered and disclosed on August 28, 2025. The issue allows attackers to cause increased memory consumption by manipulating LZMA-encoded byte streams. The vulnerability stems from the package's inability to detect data placed in front of an LZMA-encoded byte stream while reading the header, leading to potentially excessive memory allocation (GitHub Advisory).

Technical details

The vulnerability occurs because the LZMA format doesn't include a magic marker or checksum in the header to detect malformed streams. When reading a corrupted stream with a zero byte prefix, the implementation allocates the full decoding buffer immediately after reading the header. While the code eventually detects stream issues during processing, the memory allocation has already occurred. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory).

Impact

The primary impact is on memory resource consumption, particularly affecting servers with limited RAM that process large numbers of unverified LZMA archives. When exploited, the vulnerability can cause sharp spikes in memory usage, overwhelming the garbage collector's ability to manage memory effectively (GitHub Advisory).

Mitigation and workarounds

The issue has been patched in version 0.5.14 with several mitigations: The ReaderConfig DictCap field now acts as an upper limit for dictionary size with a default of 2 gigabytes, dictionary size is limited to the larger of the file size and minimum dictionary size, and the code only supports stream sizes up to a pebibyte (1024^5). Users can check actual values using the Reader.Header method and set appropriate limits via ReaderConfig. Note that version 0.5.15 was released to fix a compiler error on 32-bit platforms present in 0.5.14 (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Terraform Community vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-22874HIGH7.5
  • DockerDocker
  • volume-modifier-for-k8s-fips
NoYesJun 11, 2025
CVE-2025-47907HIGH7
  • DockerDocker
  • elvish
NoYesAug 07, 2025
CVE-2025-4673MEDIUM6.8
  • DockerDocker
  • podman-remote
NoYesJun 11, 2025
CVE-2025-47910MEDIUM5.4
  • Terraform CommunityTerraform Community
  • container-tools:rhel8::podman-plugins
NoYesSep 22, 2025
CVE-2025-58058MEDIUM5.3
  • Terraform CommunityTerraform Community
  • rhel9-eus::rhel-9.6-bootc-image-builder
NoYesAug 28, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo