CVE-2023-22460

Name of the Vulnerable Software and Affected Versions go-ipld-prime versions prior to 0.19.0

Description The issue arises when encoding data that contains a Bytes kind Node using the json codec, causing the encoder to panic as it does not expect to receive Bytes tokens. This should be treated as an error since plain JSON cannot encode bytes. The dag-json codec is not impacted, and neither is the use of json as a decoder. If the json codec is used to encode user-supplied data, it may be used as a vector for a denial of service attack.

Recommendations For versions prior to 0.19.0, update to version 0.19.0 to resolve the issue. As a temporary workaround, consider using the dag-json codec, which has the ability to encode bytes, instead of the json codec for encoding data that contains Bytes kind Nodes.