CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS
Percentile
53.3%
An attacker is able allocate arbitrarily many bytes in the Bitswap server by sending many WANT_BLOCK
and or WANT_HAVE
requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed.
This affects users accepting untrusted connections with the Bitswap server, this also affects users using the old API stubs at github.com/ipfs/boxo/bitswap
because it transitively uses github.com/ipfs/boxo/bitswap/server
.
We have renamed go-libipfs to boxo; this document uses both terms interchangeably. The version numbers for both are applicable, as they share the same historical timeline.
Apply one of:
boxo
to v0.6.0
or laterboxo
to v0.4.1
v0.5.0
is NOT safe, v0.4.1
is a backport of the v0.6.0
security fixes on top of v0.4.0
.MaxQueuedWantlistEntriesPerPeer
option allows configuring how many wantlist entries the server remembers; if a peer sends a wantlist bigger than this (including a sum of multiple delta updates) the server will truncate the wantlist to the match the limit.1024
entries per peer.PeerDisconnected
callback is received.MaxCidSize
option and defaults to 168 bytes
.WANT_*
or CANCEL
).github.com/ipfs/go-libipfs/bitswap/server/internal/decision.(*Engine).MessageReceived
github.com/ipfs/go-libipfs/bitswap/server/internal/decision.(*Engine).NotifyNewBlocks
github.com/ipfs/go-libipfs/bitswap/server/internal/decision.(*Engine).findOrCreate
github.com/ipfs/go-libipfs/bitswap/server/internal/decision.(*Engine).PeerConnected
If you are using the stubs at github.com/ipfs/go-libipfs/bitswap
and not taking advantage of the features provided by the server, refactoring your code to use the new split API will allow you to run in a client-only mode using: github.com/ipfs/boxo/bitswap/client
.
Vendor | Product | Version | CPE |
---|---|---|---|
ipfs | go-ipfs-dep | * | cpe:2.3:a:ipfs:go-ipfs-dep:*:*:*:*:*:node.js:*:* |
github.com/advisories/GHSA-m974-xj4j-7qv5
github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916
github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197
github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974
github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5
github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5
nvd.nist.gov/vuln/detail/CVE-2023-25568