CVE-2026-42328

MEDIUM

go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

Title source: cna

Description

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-w239-58x2-q8p5

Scores

CVSS v3 6.2

EPSS 0.0012

EPSS Percentile 2.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (2)

ipld/go-ipld-prime 0 - 0.23.0Go

ipld/go-ipld-prime < 0.23.0

Published May 27, 2026

Tracked Since May 27, 2026