Vulnerability Details CVE-2023-23625
go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.5%
CVSS Severity
CVSS v3 Score 5.9
References
- https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
- https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
Products affected by CVE-2023-23625
-
cpe:2.3:a:protocol:go-unixfs:0.0.1
-
cpe:2.3:a:protocol:go-unixfs:0.0.2
-
cpe:2.3:a:protocol:go-unixfs:0.0.3
-
cpe:2.3:a:protocol:go-unixfs:0.0.4
-
cpe:2.3:a:protocol:go-unixfs:0.0.5
-
cpe:2.3:a:protocol:go-unixfs:0.0.6
-
cpe:2.3:a:protocol:go-unixfs:0.0.7
-
cpe:2.3:a:protocol:go-unixfs:0.0.8
-
cpe:2.3:a:protocol:go-unixfs:0.1.0
-
cpe:2.3:a:protocol:go-unixfs:0.2.0
-
cpe:2.3:a:protocol:go-unixfs:0.2.1
-
cpe:2.3:a:protocol:go-unixfs:0.2.2
-
cpe:2.3:a:protocol:go-unixfs:0.2.3
-
cpe:2.3:a:protocol:go-unixfs:0.2.4
-
cpe:2.3:a:protocol:go-unixfs:0.2.5
-
cpe:2.3:a:protocol:go-unixfs:0.2.6
-
cpe:2.3:a:protocol:go-unixfs:0.3.0
-
cpe:2.3:a:protocol:go-unixfs:0.3.1
-
cpe:2.3:a:protocol:go-unixfs:0.3.10
-
cpe:2.3:a:protocol:go-unixfs:0.3.11
-
cpe:2.3:a:protocol:go-unixfs:0.3.2
-
cpe:2.3:a:protocol:go-unixfs:0.3.3
-
cpe:2.3:a:protocol:go-unixfs:0.3.4
-
cpe:2.3:a:protocol:go-unixfs:0.3.5
-
cpe:2.3:a:protocol:go-unixfs:0.3.6
-
cpe:2.3:a:protocol:go-unixfs:0.3.7
-
cpe:2.3:a:protocol:go-unixfs:0.3.8
-
cpe:2.3:a:protocol:go-unixfs:0.3.9
-
cpe:2.3:a:protocol:go-unixfs:0.4.0
-
cpe:2.3:a:protocol:go-unixfs:0.4.1
-
cpe:2.3:a:protocol:go-unixfs:0.4.2