Update module github.com/sirupsen/logrus to v1.8.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sirupsen/logrus	v1.6.0 → v1.8.3

---

Logrus is vulnerable to DoS when using Entry.Writer()

CVE-2025-65637 / GHSA-4f99-4q7p-p3gh

More information

Details

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-65637
• https://github.com/sirupsen/logrus/issues/1370
• https://github.com/sirupsen/logrus/pull/1376
• https://github.com/mjuanxd/logrus-dos-poc
• https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md
• https://github.com/sirupsen/logrus/releases/tag/v1.8.3
• https://github.com/sirupsen/logrus/releases/tag/v1.9.1
• https://github.com/sirupsen/logrus/releases/tag/v1.9.3
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391
• https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7
• https://github.com/advisories/GHSA-4f99-4q7p-p3gh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sirupsen/logrus (github.com/sirupsen/logrus)

v1.8.3

Compare Source

What's Changed

• Add instructions to use different log levels for local and syslog by @​tommyblue in #​1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in #​1376
• Use text when shows the logrus output by @​xieyuschen in #​1339

New Contributors

• @​tommyblue made their first contribution in #​1372
• @​ozfive made their first contribution in #​1376
• @​xieyuschen made their first contribution in #​1339

Full Changelog: sirupsen/logrus@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

• CI: use GitHub Actions by @​thaJeztah in #​1239
• go.mod: github.com/stretchr/testify v1.7.0 by @​thaJeztah in #​1246
• Change godoc badge to pkg.go.dev badge by @​minizilla in #​1249
• Add support for the logger private buffer pool. by @​edoger in #​1253
• bump golang.org/x/sys depency version by @​dgsb in #​1280
• Update README.md by @​runphp in #​1266
• indicates issues as stale automatically by @​dgsb in #​1281
• ci: add go 1.17 to test matrix by @​anajavi in #​1277
• reduce the list of cross build target by @​dgsb in #​1282
• Improve Log methods documentation by @​dgsb in #​1283
• fix race condition for SetFormatter and SetReportCaller by @​rubensayshi in #​1263
• bump version of golang.org/x/sys dependency by @​nathanejohnson in #​1333
• update gopkg.in/yaml.v3 to v3.0.1 by @​izhakmo in #​1337
• update dependencies by @​dgsb in #​1343
• Fix data race in hooks.test package by @​FrancoisWagner in #​1362

New Contributors

• @​minizilla made their first contribution in #​1249
• @​edoger made their first contribution in #​1253
• @​runphp made their first contribution in #​1266
• @​anajavi made their first contribution in #​1277
• @​rubensayshi made their first contribution in #​1263
• @​nathanejohnson made their first contribution in #​1333
• @​izhakmo made their first contribution in #​1337
• @​FrancoisWagner made their first contribution in #​1362

Full Changelog: sirupsen/logrus@v1.8.1...v1.8.2

v1.8.1

Compare Source

v1.8.0

Compare Source

Correct versioning number replacing v1.7.1

v1.7.1

Compare Source

Code quality:

• use go 1.15 in travis
• use magefile as task runner

Fixes:

• small fixes about new go 1.13 error formatting system
• Fix for long time race condiction with mutating data hooks

Features:

• build support for zos

v1.7.0: Add new BufferPool and LogFunction APIs

Compare Source

• a new buffer pool management API has been added
• a set of <LogLevel>Fn() functions have been added
• the dependency toward a windows terminal library has been removed

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/stretchr/testify	v1.6.1 -> v1.7.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/stretchr/testify	v1.6.1 -> v1.7.0