high
7.5
CWE
252 755
Advisory Published
Updated

CVE-2022-23495: ProtoNode may be modified such that common method calls may panic in ipfs/go-merkledag

First published: Thu Dec 08 2022(Updated: )

go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A `ProtoNode` may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A `ProtoNode` should only be able to encode to valid DAG-PB, attempting to encode invalid DAG-PB forms will result in an error from the codec. Manipulation of an existing (newly created or decoded) `ProtoNode` using the modifier methods did not account for certain states that would place the `ProtoNode` into an unencodeable form. Due to conformance with the [`github.com/ipfs/go-block-format#Block`](https://pkg.go.dev/github.com/ipfs/go-block-format#Block) and [`github.com/ipfs/go-ipld-format#Node`](https://pkg.go.dev/github.com/ipfs/go-ipld-format#Node) interfaces, certain methods, which internally require a re-encode if state has changed, will panic due to the inability to return an error. This issue has been addressed across a number of pull requests. Users are advised to upgrade to version 0.8.1 for a complete set of fixes. Users unable to upgrade may attempt to mitigate this issue by sanitising inputs when allowing user-input to set a new `CidBuilder` on a `ProtoNode` and by sanitising `Tsize` (`Link#Size`) values such that they are a reasonable byte-size for sub-DAGs where derived from user-input.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Protocol Go-merkledag>=0.4.0<0.8.1

Remedy

https://github.com/ipfs/go-merkledag/issues/90

Remedy

https://github.com/ipfs/go-merkledag/pull/91

Remedy

https://github.com/ipfs/go-merkledag/pull/92

Remedy

https://github.com/ipfs/go-merkledag/pull/93

Remedy

https://github.com/ipfs/kubo/issues/9297

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2022-23495?

    CVE-2022-23495 is considered a high severity vulnerability due to the potential for application crashes.

  • How do I fix CVE-2022-23495?

    To mitigate CVE-2022-23495, update the go-merkledag library to version 0.8.2 or later, as it contains the necessary patches.

  • What are the impacted versions of go-merkledag for CVE-2022-23495?

    CVE-2022-23495 affects go-merkledag versions between 0.4.0 and 0.8.1 inclusive.

  • What type of errors does CVE-2022-23495 cause?

    CVE-2022-23495 can trigger encode errors that may lead to panics on common method calls.

  • Which interface does CVE-2022-23495 affect in go-merkledag?

    CVE-2022-23495 affects the 'DAGService' interface implemented in go-merkledag.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203