CVE-2025-6140

NameCVE-2025-6140
DescriptionA vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.2 is able to address this issue. The identifier of the patch is 10320184df1eb4638e253a34b1eb44ce78954094. It is recommended to upgrade the affected component.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spdlog (PTS)bullseye1:1.8.1+ds-2.1vulnerable
bookworm1:1.10.0+ds-0.4vulnerable
trixie1:1.15.2+ds-2fixed
sid1:1.15.3+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spdlogsource(unstable)1:1.15.2+ds-1

Notes

https://github.com/gabime/spdlog/issues/3360
Fixed by: https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 (v1.15.2)
Search for package or bug name: Reporting problems