logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-qvqg-6rp8-4p9h github.com/ipfs/kubo

Package

Manager: go
Name: github.com/ipfs/kubo
Vulnerable Version: >=0 <0.19.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

github.com/ipfs/kubo affected by DOS Bitswap unbounded persistent memory leak ### Impact An attacker is able allocate arbitrarily many bytes in the Bitswap server by sending many `WANT_BLOCK` and or `WANT_HAVE` requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed. This affects users accepting or connecting untrusted connections such as by running in the public swarm and no pnet config. Nodes that are not publicly reachable but connects to untrusted nodes are also vulnerable to the untrusted nodes being connected to since libp2p connections are blindly bidirectional. ### Patches - 19feb15833c6f4d6e7f1e1b132efaae96d76481d [`boxo`](https://github.com/ipfs/boxo) update in Kubo - GHSA-m974-xj4j-7qv5 patches in boxo ### Workarounds Use [PNET](https://github.com/ipfs/kubo/blob/master/docs/experimental-features.md#private-networks), [swarm filters](https://github.com/ipfs/kubo/blob/master/docs/config.md#swarmaddrfilters) or [resource manager allows list](https://pkg.go.dev/github.com/libp2p/go-libp2p/p2p/host/resource-manager#readme-allowlisting-multiaddrs-to-mitigate-eclipse-attacks) to block untrusted connections. Note that using the resource manager will disrupt both client and server features because the bitswap protocol is a message based protocol mixing requests and responses. ### References - GHSA-m974-xj4j-7qv5 - [CVE-2023-25568](https://nvd.nist.gov/vuln/detail/CVE-2023-25568)

Metadata

Created: 2023-05-11T20:40:16Z
Modified: 2023-05-11T20:40:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-qvqg-6rp8-4p9h/GHSA-qvqg-6rp8-4p9h.json
CWE IDs: ["CWE-400", "CWE-770"]
Alternative ID: N/A
Finding: F067
Auto approve: 1