Name of the Vulnerable Software and Affected Versions go-ipfs versions prior to 0.13.1 go-ipfs version 0.14 and later are not affected, but versions prior to 0.14 may be vulnerable if they use a vulnerable version of go-car

Description The issue is caused by a problem in the go-car dependency, which can lead to go-ipfs nodes crashing when trying to import certain malformed CAR files. This affects nodes running ipfs dag import on untrusted user inputs. An attacker controlling the car file can also cause memory exhaustion attacks by making the node allocate arbitrary sized buffers. The "v0/dag/import" API endpoint is also impacted.

Recommendations For go-ipfs versions prior to 0.13.1, update to version 0.13.1 or later to resolve the issue. For those running on forked versions of go-ipfs, update the version of github.com/ipld/go-car/v2 to >= v2.4.0. As a temporary workaround, consider controlling exposure to the "v0/dag/import" HTTP RPC API endpoint to only work with trusted data. Validate car files by running car verify on them first to prevent crashes. If using other libraries within the go-ipfs ecosystem, upgrade the dependency on go-car to >= v2.4.0.