CVE-2023-23625

HIGH
Published Feb 9, 20233y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 9, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 1

VendorProductVersionRange
protocolgo-unixfs* <0.4.3

References 2

  • github.com https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
    Patch
  • github.com https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
    Vendor Advisory

Remediation

  • github.com https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175
    Patch