Yuliyu123

**Name of the Vulnerable Software and Affected Versions** go-ipld-prime versions prior to 0.23.0 **Description** The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow. For DAG-CBOR, a payload of approximately 2 MB consisting of repeated `0x81` bytes followed by a terminator can exhaust the default 1 GB goroutine stack. DAG-JSON is similarly exposed via `[[[...]]]`-style payloads. Schema-free decoding using `basicnode.Prototype.Any` allows arbitrary nesting depth, while schema-bound decoding only limits nesting if the schema is non-recursive and contains no fields typed as `Any`. **Recommendations** Update to version 0.23.0.

Name of the Vulnerable Software and Affected Versions go-ipld-prime versions prior to 0.22.0 Description go-ipld-prime’s DAG-CBOR decoder does not limit the size of preallocations for maps and lists based on CBOR headers, potentially leading to excessive memory allocation from small payloads. Nested structures can exacerbate this issue, causing allocations exceeding 9GB from payloads under 100 bytes. The decoder uses collection sizes from CBOR headers as preallocation hints for Go maps and lists, without accounting for the cost in its allocation budget. Recommendations Update to version 0.22.0 or later.