Advisories for Golang/Github.com/Ipld/Go-Ipfs package

2022

Daemon panics when processing certain blocks

go-ipfs nodes with versions 0.10.0, 0.11.0, 0.12.0, or 0.12.1 can crash when trying to traverse certain malformed graphs due to an issue in the go-codec-dagpb dependency. Vulnerable nodes that work with these malformed graphs may crash leading to denial-of-service risks. This particularly impacts nodes that download or export data that is controlled by external user input as there is the possibility that a malicious user of those services could (intentionally …