CVE-2023-23631
published 2023-02-09CVE-2023-23631: github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.91%
55.4th percentile
github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | ipfs_go-unixfsnode | >= 0 < 1.5.2 | 1.5.2 |
| ipfs | go-unixfsnode | < 1.5.2 | 1.5.2 |
| protocol | go-unixfsnode | < 1.5.2 | 1.5.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of service via HAMT decoding panic in github.com/ipfs/go-unixfsnode
osv·2023-02-14
CVE-2023-23631 Denial of service via HAMT decoding panic in github.com/ipfs/go-unixfsnode
Denial of service via HAMT decoding panic in github.com/ipfs/go-unixfsnode
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic.
This is caused by a bogus fanout parameter in the HAMT directory nodes.
There are no known workarounds (users are advised to upgrade).
GHSA
IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
ghsa·2023-02-10
CVE-2023-23631 [HIGH] CWE-400 IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
## Impact
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic.
This is caused by a bogus fanout parameter in the HAMT directory nodes.
This includes checks returned in [ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r](https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r), as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations).
## Patches
- https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68
- https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122
## References
* https://github.com/ipfs/go-unixfs/
OSV
IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
osv·2023-02-10
CVE-2023-23631 [HIGH] IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
IPFS go-unixfsnode subject to DOS via HAMT Decoding Panics
## Impact
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic.
This is caused by a bogus fanout parameter in the HAMT directory nodes.
This includes checks returned in [ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r](https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r), as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations).
## Patches
- https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68
- https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122
## References
* https://github.com/ipfs/go-unixfs/
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfchttps://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
2023-02-09
Published