github.com/ulikunitz/xz (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/ulikunitz/xz, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (3)
CVE-2020-16845 — CVSS 7.5 (high): Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
CVE-2021-29482 — CVSS 7.5 (high): xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the…
CVE-2025-58058 — CVSS 5.3 (medium): xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an…