CVE-2020-26283: Control character injection in console output in github.com/ipfs/go-ipfs
6.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.74041%
CWE
Published
6/23/2021
Updated
1/9/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/ipfs/go-ipfs | go | < 0.8.0 | 0.8.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped control characters in CLI output across multiple command handlers. The GitHub commit diff shows these functions
were modified to add EscNonPrint
escaping, indicating they previously output user-controlled data without proper sanitization. Each identified function
handles user-provided strings (filenames
, paths
, keys
, etc.) and directly passed them to output functions
like fmt.Fprintf
without escaping, enabling control character injection. The high confidence comes from explicit patching evidence in the commit where escaping was added to these specific output locations.