CVE-2023-25568 : Boxo, formerly known as go-libipfs, is a library for building IPFS applications

Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.

Published 2023-05-10 14:15:32

Updated 2023-05-19 01:53:27

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-25568

Protocol » Boxo » Version: 0.5.0 For GO
cpe:2.3:a:protocol:boxo:0.5.0:*:*:*:*:go:*:*
Matching versions
Protocol » Boxo » Version: 0.4.0 For GO
cpe:2.3:a:protocol:boxo:0.4.0:*:*:*:*:go:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-25568

EPSS FAQ

0.86%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-25568

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
8.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H	3.9	4.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: High

CWE ids for CVE-2023-25568

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Assigned by: security-advisories@github.com (Secondary)
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2023-25568

https://github.com/ipfs/boxo/commit/62cbac40b96f49e39cd7fedc77ee6b56adce4916

bitswap/server/internal/decision: add filtering on CIDs · ipfs/boxo@62cbac4 · GitHub
Patch
https://github.com/ipfs/go-libipfs/security/advisories/GHSA-m974-xj4j-7qv5

bitswap/server: DOS unbounded persistant memory leak · Advisory · ipfs/boxo · GitHub
Mitigation;Patch;Vendor Advisory
https://github.com/ipfs/boxo/commit/baa748b682fabb21a4c1f7628a8af348d4645974

bitswap/server/internal/decision: add more non flaky tests · ipfs/boxo@baa748b · GitHub
Patch
https://github.com/ipfs/boxo/commit/9cb5cb54d40b57084d1221ba83b9e6bb3fcc3197

bitswap/server/internal/decision: rewrite ledger inversion · ipfs/boxo@9cb5cb5 · GitHub
Patch

Jump to

Vulnerability Details : CVE-2023-25568

Products affected by CVE-2023-25568

Exploit prediction scoring system (EPSS) score for CVE-2023-25568

CVSS scores for CVE-2023-25568

CWE ids for CVE-2023-25568

References for CVE-2023-25568