GMS-2023-1409: github.com/ipfs/kubo affected by DOS Bitswap unbounded persistent memory leak

May 11, 2023

An attacker is able allocate arbitrarily many bytes in the Bitswap server by sending many WANT_BLOCK and or WANT_HAVE requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed.

This affects users accepting or connecting untrusted connections such as by running in the public swarm and no pnet config. Nodes that are not publicly reachable but connects to untrusted nodes are also vulnerable to the untrusted nodes being connected to since libp2p connections are blindly bidirectional.

References

github.com/advisories/GHSA-qvqg-6rp8-4p9h
github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5
github.com/ipfs/kubo/security/advisories/GHSA-qvqg-6rp8-4p9h
nvd.nist.gov/vuln/detail/CVE-2023-25568

Code Behaviors & Features

Detect and mitigate GMS-2023-1409 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →