Vulnerability Report: GO-2023-1557

CVE-2023-23625, GHSA-q264-w97q-q778
Affects: github.com/ipfs/go-unixfs
Published: Feb 14, 2023
Modified: Dec 14, 2023

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus "fanout" parameter in the HAMT directory nodes. A workaround is to not feed untrusted user data to the decoding functions.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-q264-w97q-q778.

Affected Packages

Path

Versions

Symbols
github.com/ipfs/go-unixfs/hamt

before v0.4.3
12 affected symbols

Aliases

CVE-2023-23625
GHSA-q264-w97q-q778

References

https://github.com/advisories/GHSA-q264-w97q-q778
https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
https://vuln.go.dev/ID/GO-2023-1557.json

Credits

Jorropo

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL