github.com/ipfs/boxo is vulnerable to Denial of Service (DoS) attacks. By making requests for WANT_BLOCK and/or WANT_HAVE
, which are persistent even if the connection is terminated, an attacker is able to allocate an undetermined number of bytes in the server.
github.com/ipfs/boxo/commit/35144c1e0577f33b6755d68487d3bf892df44315
github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916
github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197
github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974
github.com/ipfs/boxo/commit/c8438803571d38e33afcf5a679360a7a3a6de8e0
github.com/ipfs/boxo/issues/215
github.com/ipfs/boxo/security/advisories/GHSA-m974-xj4j-7qv5
github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5