Name of the Vulnerable Software and Affected Versions go-ipfs versions 0.10.0 through 0.12.1

Description The issue affects go-ipfs nodes that can crash when trying to traverse certain malformed graphs due to a problem in the go-codec-dagpb dependency. This can lead to denial-of-service risks, particularly impacting nodes that download or export data controlled by external user input. Notable use cases include public gateways, pinning services, and applications like IPFS Companion.

Recommendations For versions 0.10.0, 0.11.0, 0.12.0, or 0.12.1, update to version v0.11.1 or v0.12.2 to resolve the issue. For those running on forked versions of go-ipfs or who are on v0.10.0 and having trouble with the v0.11.0 breaking changes, update the version of go-codec-dagpb to >=v1.3.2. As a temporary workaround, control exposure to any endpoints that allow for arbitrary IPLD traversals, such as the HTTP RPC API and the Gateway API, by only allowing access to trusted users and applications.