CVE-2025-11579

unknown

Published 2025-10-10 · Modified 2026-02-04

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2025-11579 NameCVE-2025-11579 Descriptiongithub.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE…

CVE-2025-11579

Name	CVE-2025-11579
Description	github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1117936

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-nwaples-rardecode (PTS)	forky	2.2.2-2	fixed
	sid	2.2.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-github-nwaples-rardecode	source	(unstable)	2.2.1-1			1117936

Notes

https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 (v2.2.0)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9 (v2.2.0)

OS impact

OS	Version	Status	Fixed in
debian	forky	fixed	`2.2.1-1`
debian	sid	fixed	`2.2.1-1`
sles		affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	github.com/nwaples/rardecode/v2	`<2.2.0`	`2.2.0`
Go	github.com/nwaples/rardecode	`<=1.1.3`
Go	github.com/nwaples/rardecode

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.