CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
54.4%
Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.
If you are reading untrusted user input, an attacker can then trigger a panic.
This is caused by a bogus fanout parameter in the HAMT directory nodes.
This includes checks returned in ipfs/go-bitfield GHSA-2h6c-j3gf-xp9r, as well as limiting the fanout to <= 1024 (to avoid attempts of arbitrary sized allocations).
github.com/ipfs/go-unixfsnode
github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076
github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68
github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122
github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc
nvd.nist.gov/vuln/detail/CVE-2023-23631
pkg.go.dev/vuln/GO-2023-1559