CVE-2025-58058 is a medium-severity vulnerability identified in the 'xz' package developed by ulikunitz, a pure Go implementation for reading and writing xz-compressed files. The vulnerability arises in versions prior to 0.5.14 due to improper handling of data placed before an LZMA-encoded byte stream. Specifically, the xz package reads the header of the LZMA stream without detecting if extraneous data precedes the actual compressed content. According to the LZMA specification, the header lacks a magic number or checksum that would allow early detection of such malformed input. Consequently, the package allocates the full decoding buffer immediately after reading the header, based on the expected decompressed size. If data is prepended to the stream, this allocation can be significantly larger than necessary, leading to excessive memory consumption. Although the code eventually recognizes the malformed stream during decompression, the memory allocation has already occurred, potentially causing resource exhaustion or denial of service (DoS) conditions. This vulnerability is classified under CWE-770, which concerns allocation of resources without limits or throttling. The issue was addressed and patched in version 0.5.14 of the xz package. The CVSS v3.1 base score is 5.3, reflecting a network-exploitable vulnerability that requires no privileges or user interaction, with impact limited to availability (memory exhaustion), and no impact on confidentiality or integrity. No known exploits are currently reported in the wild.

For European organizations, the primary impact of CVE-2025-58058 is the risk of denial of service through memory exhaustion when processing maliciously crafted xz-compressed files using vulnerable versions of the ulikunitz xz package. Organizations that rely on software or services incorporating this package for handling compressed data—such as backup solutions, data ingestion pipelines, or file processing utilities—may experience service disruptions or crashes. This could affect availability of critical systems, especially in environments processing large volumes of compressed data or exposed to untrusted inputs (e.g., public-facing upload portals). While the vulnerability does not compromise data confidentiality or integrity, the availability impact could interrupt business operations or degrade service quality. Given the medium severity and absence of known exploits, the immediate risk is moderate; however, the potential for exploitation in automated or targeted DoS attacks exists if attackers supply crafted xz files. European organizations should assess their software supply chain and dependencies to identify usage of the affected package versions and prioritize patching to prevent service interruptions.

1. Upgrade: Immediately update the ulikunitz xz package to version 0.5.14 or later, where the vulnerability is patched. 2. Input Validation: Implement strict validation and sanitization of all incoming compressed files, especially those from untrusted sources, to detect and reject malformed or suspicious xz streams before processing. 3. Resource Limits: Configure memory usage limits and timeouts on processes handling decompression to prevent excessive resource consumption from malformed inputs. 4. Monitoring and Alerting: Deploy monitoring to detect abnormal memory usage or crashes in services handling xz files, enabling rapid response to potential exploitation attempts. 5. Dependency Auditing: Conduct thorough audits of software dependencies and container images to identify and remediate vulnerable versions of the xz package. 6. Isolation: Run decompression operations in isolated environments or sandboxes to contain potential DoS impacts and prevent cascading failures in critical systems.