Update module github.com/sirupsen/logrus to v1.9.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sirupsen/logrus	v1.9.0 → v1.9.1

---

Logrus is vulnerable to DoS when using Entry.Writer()

CVE-2025-65637 / GHSA-4f99-4q7p-p3gh

More information

Details

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-65637
• https://github.com/sirupsen/logrus/issues/1370
• https://github.com/sirupsen/logrus/pull/1376
• https://github.com/mjuanxd/logrus-dos-poc
• https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md
• https://github.com/sirupsen/logrus/releases/tag/v1.8.3
• https://github.com/sirupsen/logrus/releases/tag/v1.9.1
• https://github.com/sirupsen/logrus/releases/tag/v1.9.3
• https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391
• https://github.com/sirupsen/logrus/commit/6acd903758687c4a3db3c11701e6c414fcf1c1f7
• https://github.com/advisories/GHSA-4f99-4q7p-p3gh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sirupsen/logrus (github.com/sirupsen/logrus)

v1.9.1

Compare Source

What's Changed

• Fix data race in hooks.test package by @​FrancoisWagner in #​1362
• Add instructions to use different log levels for local and syslog by @​tommyblue in #​1372
• This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines. by @​ozfive in #​1376
• Use text when shows the logrus output by @​xieyuschen in #​1339

New Contributors

• @​FrancoisWagner made their first contribution in #​1362
• @​tommyblue made their first contribution in #​1372
• @​ozfive made their first contribution in #​1376
• @​xieyuschen made their first contribution in #​1339

Full Changelog: sirupsen/logrus@v1.9.0...v1.9.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.