Home > Vulnerability Database > CVE-2023-23625

Mend.io Vulnerability Database

CVE-2023-23625

Good to know:

Date: February 9, 2023

go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.

Language: Go

Severity Score

5.9

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23625

Url: https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778

Url: https://pkg.go.dev/vuln/GO-2023-1557

Url: https://github.com/ipfs/go-unixfs

Url: https://github.com/advisories/GHSA-q264-w97q-q778

Url: https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175

Url: https://www.mend.io/vulnerability-database/CVE-2023-23625

Severity Score

5.9

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version v0.4.3

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23625

Good to know:

Date: February 9, 2023

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?