Vulnerability Report: GO-2023-1269

CVE-2023-22460, GHSA-c653-6hhg-9x92
Affects: github.com/ipld/go-ipld-prime
Published: Jan 18, 2023
Modified: May 20, 2024

Encoding data using the 'json' codec which contains a 'Bytes' type Node will cause the encoder to panic. The decoder is not impacted. If the codec is used to encode user supplied data, this may be used as a vector for a denial of service attack.

For detailed information about this vulnerability, visit https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92.

Affected Packages

Path

Go Versions

Symbols
github.com/ipld/go-ipld-prime/codec/dagjson

before v0.19.0

Aliases

CVE-2023-22460
GHSA-c653-6hhg-9x92

References

https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92
https://github.com/ipld/go-ipld-prime/pull/472
https://vuln.go.dev/ID/GO-2023-1269.json

Credits

@hacdias

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL