Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    48 vulnerabilities by protocol

    CVE-2026-35480 (GCVE-0-2026-35480)

    Vulnerability from nvd – Published: 2026-04-07 14:43 – Updated: 2026-04-09 14:40
    VLAI
    Title
    go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers
    Summary
    go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    ipld go-ipld-prime Affected: < 0.22.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35480",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T14:40:02.350803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T14:40:11.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-ipld-prime",
              "vendor": "ipld",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:43:24.781Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f"
            }
          ],
          "source": {
            "advisory": "GHSA-378j-3jfj-8r9f",
            "discovery": "UNKNOWN"
          },
          "title": "go-ipld-prime\u0027s DAG-CBOR decoder unbounded memory allocation from CBOR headers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35480",
        "datePublished": "2026-04-07T14:43:24.781Z",
        "dateReserved": "2026-04-02T20:49:44.453Z",
        "dateUpdated": "2026-04-09T14:40:11.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35457 (GCVE-0-2026-35457)

    Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-04-07 17:53
    VLAI
    Title
    libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.17.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35457",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T17:53:22.542830Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T17:53:37.355Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.17.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:19.941Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"
            }
          ],
          "source": {
            "advisory": "GHSA-v5hw-cv9c-rpg7",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35457",
        "datePublished": "2026-04-07T14:22:19.941Z",
        "dateReserved": "2026-04-02T19:25:52.193Z",
        "dateUpdated": "2026-04-07T17:53:37.355Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35405 (GCVE-0-2026-35405)

    Vulnerability from nvd – Published: 2026-04-07 14:21 – Updated: 2026-04-09 17:44
    VLAI
    Title
    libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.17.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35405",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T17:44:02.373442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T17:44:08.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.17.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register.  A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:21:15.377Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
            }
          ],
          "source": {
            "advisory": "GHSA-cqfx-gf56-8x59",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35405",
        "datePublished": "2026-04-07T14:21:15.377Z",
        "dateReserved": "2026-04-02T17:03:42.075Z",
        "dateUpdated": "2026-04-09T17:44:08.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34219 (GCVE-0-2026-34219)

    Vulnerability from nvd – Published: 2026-03-31 15:47 – Updated: 2026-03-31 17:34
    VLAI
    Title
    libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-617 - Reachable Assertion
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.49.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34219",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T17:34:49.301642Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T17:34:57.667Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.49.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T15:47:31.785Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5"
            }
          ],
          "source": {
            "advisory": "GHSA-xqmp-fxgv-xvq5",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34219",
        "datePublished": "2026-03-31T15:47:31.785Z",
        "dateReserved": "2026-03-26T15:57:52.324Z",
        "dateUpdated": "2026-03-31T17:34:57.667Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33040 (GCVE-0-2026-33040)

    Vulnerability from nvd – Published: 2026-03-20 05:46 – Updated: 2026-03-20 15:41
    VLAI
    Title
    libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.49.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33040",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T15:40:49.446258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T15:41:03.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.49.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-20T05:46:42.276Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"
            }
          ],
          "source": {
            "advisory": "GHSA-gc42-3jg7-rxr2",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33040",
        "datePublished": "2026-03-20T05:46:42.276Z",
        "dateReserved": "2026-03-17T18:10:50.210Z",
        "dateUpdated": "2026-03-20T15:41:03.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32314 (GCVE-0-2026-32314)

    Vulnerability from nvd – Published: 2026-03-13 19:53 – Updated: 2026-03-16 13:48
    VLAI
    Title
    Yamux remote Panic via malformed Data frame with SYN set and len = 262145
    Summary
    Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-yamux Affected: < 0.13.10
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32314",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-16T13:47:55.471147Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-16T13:48:29.665Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-yamux",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.13.10"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect(\"stream not found\"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-13T19:53:08.823Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338"
            }
          ],
          "source": {
            "advisory": "GHSA-vxx9-2994-q338",
            "discovery": "UNKNOWN"
          },
          "title": "Yamux remote Panic via malformed Data frame with SYN set and len = 262145"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32314",
        "datePublished": "2026-03-13T19:53:08.823Z",
        "dateReserved": "2026-03-11T21:16:21.660Z",
        "dateUpdated": "2026-03-16T13:48:29.665Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31814 (GCVE-0-2026-31814)

    Vulnerability from nvd – Published: 2026-03-13 19:19 – Updated: 2026-03-13 19:38
    VLAI
    Title
    Yamux remote Panic via malformed WindowUpdate credit
    Summary
    Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-yamux Affected: >= 0.13.0, < 0.13.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31814",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T19:37:53.480882Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T19:38:02.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-yamux",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.13.0, \u003c 0.13.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-13T19:19:41.879Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7"
            }
          ],
          "source": {
            "advisory": "GHSA-4w32-2493-32g7",
            "discovery": "UNKNOWN"
          },
          "title": "Yamux remote Panic via malformed WindowUpdate credit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31814",
        "datePublished": "2026-03-13T19:19:41.879Z",
        "dateReserved": "2026-03-09T16:33:42.914Z",
        "dateUpdated": "2026-03-13T19:38:02.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-40583 (GCVE-0-2023-40583)

    Vulnerability from nvd – Published: 2023-08-25 20:25 – Updated: 2024-10-02 14:45
    VLAI
    Title
    libp2p nodes vulnerable to OOM attack
    Summary
    libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    libp2p go-libp2p Affected: < 0.27.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:38:50.867Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
              },
              {
                "name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
              },
              {
                "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
              },
              {
                "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-40583",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:44:58.191460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-02T14:45:16.702Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.27.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T20:25:28.297Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
            }
          ],
          "source": {
            "advisory": "GHSA-gcq9-qqwx-rgj3",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p nodes vulnerable to OOM attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-40583",
        "datePublished": "2023-08-25T20:25:28.297Z",
        "dateReserved": "2023-08-16T18:24:02.391Z",
        "dateUpdated": "2024-10-02T14:45:16.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25568 (GCVE-0-2023-25568)

    Vulnerability from nvd – Published: 2023-05-10 00:00 – Updated: 2025-02-13 16:44
    VLAI
    Title
    Boxo bitswap/server: DOS unbounded persistent memory leak
    Summary
    Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    ipfs boxo Affected: 0.4.0
    Affected: 0.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:25:19.272Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25568",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-27T21:33:49.089709Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-27T21:34:11.093Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "boxo",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.4.0"
                },
                {
                  "status": "affected",
                  "version": "0.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-10T13:30:09.142Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
            },
            {
              "url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
            },
            {
              "url": "https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974"
            },
            {
              "url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
            }
          ],
          "source": {
            "advisory": "GHSA-m974-xj4j-7qv5",
            "defect": [
              "GHSA-m974-xj4j-7qv5"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Boxo bitswap/server: DOS unbounded persistent memory leak",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25568",
        "datePublished": "2023-05-10T00:00:00.000Z",
        "dateReserved": "2023-02-07T00:00:00.000Z",
        "dateUpdated": "2025-02-13T16:44:30.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23631 (GCVE-0-2023-23631)

    Vulnerability from nvd – Published: 2023-02-09 20:46 – Updated: 2025-03-10 21:14
    VLAI
    Title
    HAMT Decoding Panics in github.com/ipfs/go-unixfsnode
    Summary
    github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    ipfs go-unixfsnode Affected: < 1.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.625Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
              },
              {
                "name": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
              },
              {
                "name": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68"
              },
              {
                "name": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23631",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T20:58:01.028428Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:14:10.912Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-unixfsnode",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb\u0027s implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.\nIf you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:46:22.930Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
            },
            {
              "name": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
            },
            {
              "name": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68"
            },
            {
              "name": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122"
            }
          ],
          "source": {
            "advisory": "GHSA-4gj3-6r43-3wfc",
            "discovery": "UNKNOWN"
          },
          "title": "HAMT Decoding Panics in github.com/ipfs/go-unixfsnode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-23631",
        "datePublished": "2023-02-09T20:46:22.930Z",
        "dateReserved": "2023-01-16T17:07:46.245Z",
        "dateUpdated": "2025-03-10T21:14:10.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23626 (GCVE-0-2023-23626)

    Vulnerability from nvd – Published: 2023-02-09 20:54 – Updated: 2025-03-10 21:14
    VLAI
    Title
    Denial of service when feeding malformed size arguments in go-bitfield
    Summary
    go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    Assigner
    References
    Impacted products
    Vendor Product Version
    ipfs go-bitfield Affected: < 1.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.661Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
              },
              {
                "name": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23626",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T21:01:02.599125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:14:05.485Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-bitfield",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:54:07.075Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
            },
            {
              "name": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
            }
          ],
          "source": {
            "advisory": "GHSA-2h6c-j3gf-xp9r",
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service when feeding malformed size arguments in go-bitfield"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-23626",
        "datePublished": "2023-02-09T20:54:07.075Z",
        "dateReserved": "2023-01-16T17:07:46.244Z",
        "dateUpdated": "2025-03-10T21:14:05.485Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23625 (GCVE-0-2023-23625)

    Vulnerability from nvd – Published: 2023-02-09 20:57 – Updated: 2025-03-10 21:13
    VLAI
    Title
    Denial of service in HAMT Decoding in go-unixfs
    Summary
    go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    ipfs go-unixfs Affected: < 0.4.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.626Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"
              },
              {
                "name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T20:57:57.598014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:13:58.723Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-unixfs",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:57:22.072Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"
            },
            {
              "name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"
            }
          ],
          "source": {
            "advisory": "GHSA-q264-w97q-q778",
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service in HAMT Decoding in go-unixfs "
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-23625",
        "datePublished": "2023-02-09T20:57:22.072Z",
        "dateReserved": "2023-01-16T17:07:46.244Z",
        "dateUpdated": "2025-03-10T21:13:58.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22460 (GCVE-0-2023-22460)

    Vulnerability from nvd – Published: 2023-01-04 14:53 – Updated: 2025-03-11 13:34
    VLAI
    Title
    go-ipld-prime json codec may panic if asked to encode bytes
    Summary
    go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    ipld go-ipld-prime Affected: < 0.19.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:13:48.278Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92"
              },
              {
                "name": "https://github.com/ipld/go-ipld-prime/pull/472",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-ipld-prime/pull/472"
              },
              {
                "name": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-11T13:34:45.868105Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-11T13:34:55.463Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-ipld-prime",
              "vendor": "ipld",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.19.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn\u0027t expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-04T14:53:19.877Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92"
            },
            {
              "name": "https://github.com/ipld/go-ipld-prime/pull/472",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/pull/472"
            },
            {
              "name": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0"
            }
          ],
          "source": {
            "advisory": "GHSA-c653-6hhg-9x92",
            "discovery": "UNKNOWN"
          },
          "title": "go-ipld-prime json codec may panic if asked to encode bytes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-22460",
        "datePublished": "2023-01-04T14:53:19.877Z",
        "dateReserved": "2022-12-29T03:00:40.879Z",
        "dateUpdated": "2025-03-11T13:34:55.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2584 (GCVE-0-2022-2584)

    Vulnerability from nvd – Published: 2022-12-27 21:13 – Updated: 2025-04-11 16:41
    VLAI
    Title
    Panic when decoding invalid blocks in github.com/ipld/go-codec-dagpb
    Summary
    The dag-pb codec can panic when decoding invalid blocks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
    Assigner
    Go
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:39:08.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2022-0422"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2584",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-11T16:41:04.244297Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-11T16:41:55.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "github.com/ipld/go-codec-dagpb",
              "product": "github.com/ipld/go-codec-dagpb",
              "programRoutines": [
                {
                  "name": "DecodeBytes"
                },
                {
                  "name": "Decode"
                },
                {
                  "name": "Decoder"
                },
                {
                  "name": "Unmarshal"
                }
              ],
              "vendor": "github.com/ipld/go-codec-dagpb",
              "versions": [
                {
                  "lessThan": "1.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The dag-pb codec can panic when decoding invalid blocks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-12T19:04:17.953Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2022-0422"
            }
          ],
          "title": "Panic when decoding invalid blocks in github.com/ipld/go-codec-dagpb"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2022-2584",
        "datePublished": "2022-12-27T21:13:51.963Z",
        "dateReserved": "2022-07-29T20:03:20.380Z",
        "dateUpdated": "2025-04-11T16:41:55.240Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-47547 (GCVE-0-2022-47547)

    Vulnerability from nvd – Published: 2022-12-19 00:00 – Updated: 2025-04-17 14:05
    VLAI
    Summary
    GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-281 - Improper Preservation of Permissions
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T14:55:08.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arxiv.org/pdf/2212.05197.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-47547",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-17T14:04:52.896652Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-281",
                    "description": "CWE-281 Improper Preservation of Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-17T14:05:53.729Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-12-19T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://arxiv.org/pdf/2212.05197.pdf"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-47547",
        "datePublished": "2022-12-19T00:00:00.000Z",
        "dateReserved": "2022-12-19T00:00:00.000Z",
        "dateUpdated": "2025-04-17T14:05:53.729Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-35480 (GCVE-0-2026-35480)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:43 – Updated: 2026-04-09 14:40
    VLAI
    Title
    go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers
    Summary
    go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    ipld go-ipld-prime Affected: < 0.22.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35480",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T14:40:02.350803Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T14:40:11.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-ipld-prime",
              "vendor": "ipld",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.22.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:43:24.781Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-378j-3jfj-8r9f"
            }
          ],
          "source": {
            "advisory": "GHSA-378j-3jfj-8r9f",
            "discovery": "UNKNOWN"
          },
          "title": "go-ipld-prime\u0027s DAG-CBOR decoder unbounded memory allocation from CBOR headers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35480",
        "datePublished": "2026-04-07T14:43:24.781Z",
        "dateReserved": "2026-04-02T20:49:44.453Z",
        "dateUpdated": "2026-04-09T14:40:11.103Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35457 (GCVE-0-2026-35457)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 17:53
    VLAI
    Title
    libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.17.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35457",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-07T17:53:22.542830Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-07T17:53:37.355Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.17.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:22:19.941Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"
            }
          ],
          "source": {
            "advisory": "GHSA-v5hw-cv9c-rpg7",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35457",
        "datePublished": "2026-04-07T14:22:19.941Z",
        "dateReserved": "2026-04-02T19:25:52.193Z",
        "dateUpdated": "2026-04-07T17:53:37.355Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35405 (GCVE-0-2026-35405)

    Vulnerability from cvelistv5 – Published: 2026-04-07 14:21 – Updated: 2026-04-09 17:44
    VLAI
    Title
    libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.17.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35405",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-09T17:44:02.373442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-09T17:44:08.836Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.17.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register.  A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-07T14:21:15.377Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
            }
          ],
          "source": {
            "advisory": "GHSA-cqfx-gf56-8x59",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35405",
        "datePublished": "2026-04-07T14:21:15.377Z",
        "dateReserved": "2026-04-02T17:03:42.075Z",
        "dateUpdated": "2026-04-09T17:44:08.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34219 (GCVE-0-2026-34219)

    Vulnerability from cvelistv5 – Published: 2026-03-31 15:47 – Updated: 2026-03-31 17:34
    VLAI
    Title
    libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    • CWE-617 - Reachable Assertion
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.49.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34219",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T17:34:49.301642Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T17:34:57.667Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.49.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-617",
                  "description": "CWE-617: Reachable Assertion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T15:47:31.785Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5"
            }
          ],
          "source": {
            "advisory": "GHSA-xqmp-fxgv-xvq5",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34219",
        "datePublished": "2026-03-31T15:47:31.785Z",
        "dateReserved": "2026-03-26T15:57:52.324Z",
        "dateUpdated": "2026-03-31T17:34:57.667Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33040 (GCVE-0-2026-33040)

    Vulnerability from cvelistv5 – Published: 2026-03-20 05:46 – Updated: 2026-03-20 15:41
    VLAI
    Title
    libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow
    Summary
    libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-libp2p Affected: < 0.49.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33040",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T15:40:49.446258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T15:41:03.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.49.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-20T05:46:42.276Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"
            }
          ],
          "source": {
            "advisory": "GHSA-gc42-3jg7-rxr2",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-33040",
        "datePublished": "2026-03-20T05:46:42.276Z",
        "dateReserved": "2026-03-17T18:10:50.210Z",
        "dateUpdated": "2026-03-20T15:41:03.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-32314 (GCVE-0-2026-32314)

    Vulnerability from cvelistv5 – Published: 2026-03-13 19:53 – Updated: 2026-03-16 13:48
    VLAI
    Title
    Yamux remote Panic via malformed Data frame with SYN set and len = 262145
    Summary
    Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-yamux Affected: < 0.13.10
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32314",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-16T13:47:55.471147Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-16T13:48:29.665Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-yamux",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.13.10"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect(\"stream not found\"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248: Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-13T19:53:08.823Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338"
            }
          ],
          "source": {
            "advisory": "GHSA-vxx9-2994-q338",
            "discovery": "UNKNOWN"
          },
          "title": "Yamux remote Panic via malformed Data frame with SYN set and len = 262145"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32314",
        "datePublished": "2026-03-13T19:53:08.823Z",
        "dateReserved": "2026-03-11T21:16:21.660Z",
        "dateUpdated": "2026-03-16T13:48:29.665Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31814 (GCVE-0-2026-31814)

    Vulnerability from cvelistv5 – Published: 2026-03-13 19:19 – Updated: 2026-03-13 19:38
    VLAI
    Title
    Yamux remote Panic via malformed WindowUpdate credit
    Summary
    Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-190 - Integer Overflow or Wraparound
    Assigner
    References
    Impacted products
    Vendor Product Version
    libp2p rust-yamux Affected: >= 0.13.0, < 0.13.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31814",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-13T19:37:53.480882Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-13T19:38:02.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-yamux",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.13.0, \u003c 0.13.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-190",
                  "description": "CWE-190: Integer Overflow or Wraparound",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-13T19:19:41.879Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7"
            }
          ],
          "source": {
            "advisory": "GHSA-4w32-2493-32g7",
            "discovery": "UNKNOWN"
          },
          "title": "Yamux remote Panic via malformed WindowUpdate credit"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31814",
        "datePublished": "2026-03-13T19:19:41.879Z",
        "dateReserved": "2026-03-09T16:33:42.914Z",
        "dateUpdated": "2026-03-13T19:38:02.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-40583 (GCVE-0-2023-40583)

    Vulnerability from cvelistv5 – Published: 2023-08-25 20:25 – Updated: 2024-10-02 14:45
    VLAI
    Title
    libp2p nodes vulnerable to OOM attack
    Summary
    libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    libp2p go-libp2p Affected: < 0.27.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:38:50.867Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
              },
              {
                "name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
              },
              {
                "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
              },
              {
                "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-40583",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:44:58.191460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-02T14:45:16.702Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-libp2p",
              "vendor": "libp2p",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.27.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T20:25:28.297Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
            },
            {
              "name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
            }
          ],
          "source": {
            "advisory": "GHSA-gcq9-qqwx-rgj3",
            "discovery": "UNKNOWN"
          },
          "title": "libp2p nodes vulnerable to OOM attack"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-40583",
        "datePublished": "2023-08-25T20:25:28.297Z",
        "dateReserved": "2023-08-16T18:24:02.391Z",
        "dateUpdated": "2024-10-02T14:45:16.702Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25568 (GCVE-0-2023-25568)

    Vulnerability from cvelistv5 – Published: 2023-05-10 00:00 – Updated: 2025-02-13 16:44
    VLAI
    Title
    Boxo bitswap/server: DOS unbounded persistent memory leak
    Summary
    Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    ipfs boxo Affected: 0.4.0
    Affected: 0.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:25:19.272Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25568",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-27T21:33:49.089709Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-27T21:34:11.093Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "boxo",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.4.0"
                },
                {
                  "status": "affected",
                  "version": "0.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-10T13:30:09.142Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916"
            },
            {
              "url": "https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197"
            },
            {
              "url": "https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974"
            },
            {
              "url": "https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5"
            }
          ],
          "source": {
            "advisory": "GHSA-m974-xj4j-7qv5",
            "defect": [
              "GHSA-m974-xj4j-7qv5"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Boxo bitswap/server: DOS unbounded persistent memory leak",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-25568",
        "datePublished": "2023-05-10T00:00:00.000Z",
        "dateReserved": "2023-02-07T00:00:00.000Z",
        "dateUpdated": "2025-02-13T16:44:30.783Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23625 (GCVE-0-2023-23625)

    Vulnerability from cvelistv5 – Published: 2023-02-09 20:57 – Updated: 2025-03-10 21:13
    VLAI
    Title
    Denial of service in HAMT Decoding in go-unixfs
    Summary
    go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    ipfs go-unixfs Affected: < 0.4.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.626Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"
              },
              {
                "name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T20:57:57.598014Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:13:58.723Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-unixfs",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-unixfs is an implementation of a unix-like filesystem on top of an ipld merkledag. Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus `fanout` parameter in the HAMT directory nodes. Users are advised to upgrade to version 0.4.3 to resolve this issue. Users unable to upgrade should not feed untrusted user data to the decoding functions.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:57:22.072Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778"
            },
            {
              "name": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175"
            }
          ],
          "source": {
            "advisory": "GHSA-q264-w97q-q778",
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service in HAMT Decoding in go-unixfs "
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-23625",
        "datePublished": "2023-02-09T20:57:22.072Z",
        "dateReserved": "2023-01-16T17:07:46.244Z",
        "dateUpdated": "2025-03-10T21:13:58.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23626 (GCVE-0-2023-23626)

    Vulnerability from cvelistv5 – Published: 2023-02-09 20:54 – Updated: 2025-03-10 21:14
    VLAI
    Title
    Denial of service when feeding malformed size arguments in go-bitfield
    Summary
    go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-754 - Improper Check for Unusual or Exceptional Conditions
    Assigner
    References
    Impacted products
    Vendor Product Version
    ipfs go-bitfield Affected: < 1.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.661Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
              },
              {
                "name": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23626",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T21:01:02.599125Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:14:05.485Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-bitfield",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s. This happen when the `size` is a not a multiple of `8` or is negative. There were already a note in the `NewBitfield` documentation, however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that `size` is a multiple of 8 before calling `NewBitfield` or `FromBytes`.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-754",
                  "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:54:07.075Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
            },
            {
              "name": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
            }
          ],
          "source": {
            "advisory": "GHSA-2h6c-j3gf-xp9r",
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service when feeding malformed size arguments in go-bitfield"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-23626",
        "datePublished": "2023-02-09T20:54:07.075Z",
        "dateReserved": "2023-01-16T17:07:46.244Z",
        "dateUpdated": "2025-03-10T21:14:05.485Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-23631 (GCVE-0-2023-23631)

    Vulnerability from cvelistv5 – Published: 2023-02-09 20:46 – Updated: 2025-03-10 21:14
    VLAI
    Title
    HAMT Decoding Panics in github.com/ipfs/go-unixfsnode
    Summary
    github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb's implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    ipfs go-unixfsnode Affected: < 1.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:35:33.625Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
              },
              {
                "name": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
              },
              {
                "name": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68"
              },
              {
                "name": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-23631",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T20:58:01.028428Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-10T21:14:10.912Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-unixfsnode",
              "vendor": "ipfs",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "github.com/ipfs/go-unixfsnode is an ADL IPLD prime node that wraps go-codec-dagpb\u0027s implementation of protobuf to enable pathing. In versions priot to 1.5.2 trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks.\nIf you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus fanout parameter in the HAMT directory nodes. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-02-09T20:46:22.930Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/security/advisories/GHSA-4gj3-6r43-3wfc"
            },
            {
              "name": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/commit/59050ea8bc458ae55246ae09243e6e165923e076"
            },
            {
              "name": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/commit/91b3d39d33ef0cd2aff2c95d50b2329350944b68"
            },
            {
              "name": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipfs/go-unixfsnode/commit/a4ed723727e0bdc2277158337c2fc0d82802d122"
            }
          ],
          "source": {
            "advisory": "GHSA-4gj3-6r43-3wfc",
            "discovery": "UNKNOWN"
          },
          "title": "HAMT Decoding Panics in github.com/ipfs/go-unixfsnode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-23631",
        "datePublished": "2023-02-09T20:46:22.930Z",
        "dateReserved": "2023-01-16T17:07:46.245Z",
        "dateUpdated": "2025-03-10T21:14:10.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-22460 (GCVE-0-2023-22460)

    Vulnerability from cvelistv5 – Published: 2023-01-04 14:53 – Updated: 2025-03-11 13:34
    VLAI
    Title
    go-ipld-prime json codec may panic if asked to encode bytes
    Summary
    go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    ipld go-ipld-prime Affected: < 0.19.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T10:13:48.278Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92"
              },
              {
                "name": "https://github.com/ipld/go-ipld-prime/pull/472",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-ipld-prime/pull/472"
              },
              {
                "name": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-22460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-11T13:34:45.868105Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-11T13:34:55.463Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "go-ipld-prime",
              "vendor": "ipld",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.19.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn\u0027t expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-04T14:53:19.877Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92"
            },
            {
              "name": "https://github.com/ipld/go-ipld-prime/pull/472",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/pull/472"
            },
            {
              "name": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0"
            }
          ],
          "source": {
            "advisory": "GHSA-c653-6hhg-9x92",
            "discovery": "UNKNOWN"
          },
          "title": "go-ipld-prime json codec may panic if asked to encode bytes"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-22460",
        "datePublished": "2023-01-04T14:53:19.877Z",
        "dateReserved": "2022-12-29T03:00:40.879Z",
        "dateUpdated": "2025-03-11T13:34:55.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2584 (GCVE-0-2022-2584)

    Vulnerability from cvelistv5 – Published: 2022-12-27 21:13 – Updated: 2025-04-11 16:41
    VLAI
    Title
    Panic when decoding invalid blocks in github.com/ipld/go-codec-dagpb
    Summary
    The dag-pb codec can panic when decoding invalid blocks.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
    Assigner
    Go
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:39:08.048Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2022-0422"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2584",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-11T16:41:04.244297Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-11T16:41:55.240Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "github.com/ipld/go-codec-dagpb",
              "product": "github.com/ipld/go-codec-dagpb",
              "programRoutines": [
                {
                  "name": "DecodeBytes"
                },
                {
                  "name": "Decode"
                },
                {
                  "name": "Decoder"
                },
                {
                  "name": "Unmarshal"
                }
              ],
              "vendor": "github.com/ipld/go-codec-dagpb",
              "versions": [
                {
                  "lessThan": "1.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The dag-pb codec can panic when decoding invalid blocks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-06-12T19:04:17.953Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2022-0422"
            }
          ],
          "title": "Panic when decoding invalid blocks in github.com/ipld/go-codec-dagpb"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2022-2584",
        "datePublished": "2022-12-27T21:13:51.963Z",
        "dateReserved": "2022-07-29T20:03:20.380Z",
        "dateUpdated": "2025-04-11T16:41:55.240Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-47547 (GCVE-0-2022-47547)

    Vulnerability from cvelistv5 – Published: 2022-12-19 00:00 – Updated: 2025-04-17 14:05
    VLAI
    Summary
    GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-281 - Improper Preservation of Permissions
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T14:55:08.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://arxiv.org/pdf/2212.05197.pdf"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-47547",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-17T14:04:52.896652Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-281",
                    "description": "CWE-281 Improper Preservation of Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-17T14:05:53.729Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "GossipSub 1.1, as used for Ethereum 2.0, allows a peer to maintain a positive score (and thus not be pruned from the network) even though it continuously misbehaves by never forwarding topic messages."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-12-19T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://arxiv.org/pdf/2212.05197.pdf"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-47547",
        "datePublished": "2022-12-19T00:00:00.000Z",
        "dateReserved": "2022-12-19T00:00:00.000Z",
        "dateUpdated": "2025-04-17T14:05:53.729Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }