Vulnerability Report: GO-2023-1559

CVE-2023-23631, GHSA-4gj3-6r43-3wfc
Affects: github.com/ipfs/go-unixfsnode
Published: Feb 14, 2023
Modified: May 20, 2024

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by a bogus fanout parameter in the HAMT directory nodes. There are no known workarounds (users are advised to upgrade).

For detailed information about this vulnerability, visit https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc.

Affected Packages

Path

Go Versions

Symbols
github.com/ipfs/go-unixfsnode/hamt

before v1.5.2
github.com/ipfs/go-unixfsnode/data/builder

before v1.5.2
18 affected symbols

Aliases

CVE-2023-23631
GHSA-4gj3-6r43-3wfc

References

https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076
https://vuln.go.dev/ID/GO-2023-1559.json

Credits

Jorropo

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL