CVE-2023-23625: Uncontrolled Resource Consumption

February 9, 2023 (updated November 7, 2023)

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

References

github.com/advisories/GHSA-q264-w97q-q778
github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
nvd.nist.gov/vuln/detail/CVE-2023-23625

Detect and mitigate CVE-2023-23625 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →