Description
go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
Scores
CVSS v3
5.9
EPSS
0.0047
EPSS Percentile
64.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
ipfs/go-unixfs
0 - 0.4.3Go
protocol/go-unixfs
< 0.4.3
Published
Feb 09, 2023
Tracked Since
Feb 18, 2026