CVE-2023-23631

HIGH
Published Feb 9, 20233y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 9, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 1

VendorProductVersionRange
protocolgo-unixfsnode* <1.5.2

References 4

  • github.com https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076
    Patch
  • github.com https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68
    Patch
  • github.com https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122
    Patch
  • github.com https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
    PatchVendor Advisory

Remediation

  • github.com https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076
    Patch
  • github.com https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68
    Patch
  • github.com https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122
    Patch
  • github.com https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
    PatchVendor Advisory