Miggo Logo
Miggo Vulnerability Database
CVE-2025-11579

CVE-2025-11579: rardecode: DoS risk due to unrestricted RAR dictionary sizes

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-11579
GHSA ID
GHSA-rwvp-r38j-9rgg
EPSS Score
0.11209%
CWE
CWE-789
Published
10/10/2025
Updated
10/11/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/nwaples/rardecode/v2go< 2.2.02.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a denial of service caused by an unrestricted dictionary size in RAR file decoding. The provided patch addresses this by introducing a configurable limit on the dictionary size. The analysis of the patch commit 52fb4e825c936636f251f7e7deded39ab11df9a9 reveals changes in two files: reader.go and volume.go.

In volume.go, a new option maxDictSize is added to the options struct, along with a MaxDictionarySize function to set it. A default value is also provided. This allows the user of the library to control the maximum dictionary size that will be allocated.

In reader.go, the newArchiveFileFrom function is modified to enforce this new limit. The key change is the updated conditional statement:

-		if h.winSize > maxDictSize {
+		if h.winSize > maxDictSize || h.winSize > pr.opt.maxDictSize {
 			return nil, ErrDictionaryTooLarge
 		}

This change shows that newArchiveFileFrom is the function where the dictionary size from the RAR file header (h.winSize) is checked. The vulnerability existed because the previous check was insufficient. By adding the check against pr.opt.maxDictSize, the function now prevents the allocation of excessively large dictionaries.

Therefore, packedFileReader.newArchiveFileFrom is the vulnerable function. When a malicious RAR file is processed, this function would be on the execution path that leads to the out-of-memory error. A runtime profiler would show this function call during an exploit attempt.

Vulnerable functions

packedFileReader.newArchiveFileFrom
reader.go
The vulnerability lies in the `newArchiveFileFrom` function, which is responsible for processing RAR archive file headers. Before the patch, this function only checked the dictionary size (`h.winSize`) against a fixed maximum (`maxDictSize`). It did not allow for a user-configurable limit. An attacker could provide a specially crafted RAR file with a large dictionary size in the header, causing the program to attempt to allocate a large amount of memory, leading to a denial of service. The patch introduces a check against a new configurable `maxDictSize` from the options, mitigating the vulnerability.

WAF Protection Rules

WAF Rule

r*r***o** v*rsions <= *.*.* **il to r*stri*t t** *i*tion*ry siz* w**n r***in* l*r** R*R *i*tion*ry siz*s, w*i** *llows *n *tt**k*r to provi** * sp**i*lly *r**t** R*R *il* *n* **us* **ni*l o* S*rvi** vi* *n Out O* M*mory *r*s*.

Reasoning

T** vuln*r**ility is * **ni*l o* s*rvi** **us** *y *n unr*stri*t** *i*tion*ry siz* in R*R *il* ***o*in*. T** provi*** p*t** ***r*ss*s t*is *y intro*u*in* * *on*i*ur**l* limit on t** *i*tion*ry siz*. T** *n*lysis o* t** p*t** *ommit `*****************