fix(deps): update module github.com/sirupsen/logrus to v1.8.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sirupsen/logrus	v1.8.1 → v1.8.3

---

Logrus is vulnerable to DoS when using Entry.Writer()

CVE-2025-65637 / GHSA-4f99-4q7p-p3gh

More information

Details

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-65637
• https://github.com/sirupsen/logrus/issues/1370
• https://github.com/sirupsen/logrus/pull/1376
• https://github.com/mjuanxd/logrus-dos-poc
• https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md
• https://github.com/sirupsen/logrus/releases/tag/v1.8.3
• https://github.com/sirupsen/logrus/releases/tag/v1.9.1
• https://github.com/sirupsen/logrus/releases/tag/v1.9.3
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391
• https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7
• https://github.com/advisories/GHSA-4f99-4q7p-p3gh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sirupsen/logrus (github.com/sirupsen/logrus)

v1.8.3

Compare Source

What's Changed

• Add instructions to use different log levels for local and syslog by @​tommyblue in #​1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in #​1376
• Use text when shows the logrus output by @​xieyuschen in #​1339

New Contributors

• @​tommyblue made their first contribution in #​1372
• @​ozfive made their first contribution in #​1376
• @​xieyuschen made their first contribution in #​1339

Full Changelog: sirupsen/logrus@v1.8.2...v1.8.3

v1.8.2

Compare Source

What's Changed

• CI: use GitHub Actions by @​thaJeztah in #​1239
• go.mod: github.com/stretchr/testify v1.7.0 by @​thaJeztah in #​1246
• Change godoc badge to pkg.go.dev badge by @​minizilla in #​1249
• Add support for the logger private buffer pool. by @​edoger in #​1253
• bump golang.org/x/sys depency version by @​dgsb in #​1280
• Update README.md by @​runphp in #​1266
• indicates issues as stale automatically by @​dgsb in #​1281
• ci: add go 1.17 to test matrix by @​anajavi in #​1277
• reduce the list of cross build target by @​dgsb in #​1282
• Improve Log methods documentation by @​dgsb in #​1283
• fix race condition for SetFormatter and SetReportCaller by @​rubensayshi in #​1263
• bump version of golang.org/x/sys dependency by @​nathanejohnson in #​1333
• update gopkg.in/yaml.v3 to v3.0.1 by @​izhakmo in #​1337
• update dependencies by @​dgsb in #​1343
• Fix data race in hooks.test package by @​FrancoisWagner in #​1362

New Contributors

• @​minizilla made their first contribution in #​1249
• @​edoger made their first contribution in #​1253
• @​runphp made their first contribution in #​1266
• @​anajavi made their first contribution in #​1277
• @​rubensayshi made their first contribution in #​1263
• @​nathanejohnson made their first contribution in #​1333
• @​izhakmo made their first contribution in #​1337
• @​FrancoisWagner made their first contribution in #​1362

Full Changelog: sirupsen/logrus@v1.8.1...v1.8.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/sys	v0.0.0-20210326220804-49726bf1d181 -> v0.0.0-20220715151400-c0bba94af5f8

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang.org/​x/​sys@​v0.0.0-20210326220804-49726bf1d181 ⏵ v0.0.0-20220715151400-c0bba94af5f8	-1	+2
	github.com/​sirupsen/​logrus@​v1.8.1 ⏵ v1.8.3		+16

View full report

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
golang.org/x/sys	v0.0.0-20210326220804-49726bf1d181 -> v0.0.0-20220715151400-c0bba94af5f8