CVE-2023-23625

Published: Feb 9, 2023

Modified: Mar 10, 2025

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

Vendor	Product	Versions
ipfs	go-unixfs	affected `< 0.4.3`

Weaknesses (CWE)

CWE-400

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778

x_refsource_CONFIRM

https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-23625

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References