Miggo Logo
Miggo Vulnerability Database
GHSA-q3j6-22wf-3jh9

GHSA-q3j6-22wf-3jh9: github.com/ipfs/go-bitswap vulnerable to DOS unbounded persistent memory leak

7.5

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-q3j6-22wf-3jh9
EPSS Score
-
CWE
CWE-400
Published
5/11/2023
Updated
6/16/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ipfs/go-bitswapgo< 0.12.00.12.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from uncontrolled resource consumption in message handling. The listed functions directly process untrusted inputs (WANT_* requests) and manage peer state without: (1) limiting queued entries per peer (CWE-770), (2) validating CID sizes, or (3) cleaning up disconnected peers' state (CWE-400). Commit 62cbac4 and 9cb5cb5 explicitly modified these functions to add MaxQueuedWantlistEntriesPerPeer, MaxCidSize, and peer-state cleanup - confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is p**k*** **s ***n mov** to [`*it*u*.*om/ip*s/*oxo/*itsw*p`](*ttps://pk*.*o.**v/*it*u*.*om/ip*s/*oxo/*itsw*p), t*is vuln*r**ility is tr**k** t**r*: *ttps://*it*u*.*om/ip*s/*oxo/s**urity/**visori*s/**S*-m***-xj*j-*qv* (`*V*-****-*****`) ### R*m**i

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** r*sour** *onsumption in m*ss*** **n*lin*. T** list** *un*tions *ir**tly `pro**ss` untrust** inputs (W*NT_* r*qu*sts) *n* m*n*** p**r st*t* wit*out: (*) limitin* qu*u** *ntri*s p*r p**r (*W*-***), (*) v*li**ti