CVE-2023-23631

Name of the Vulnerable Software and Affected Versions go-unixfsnode versions prior to 1.5.2

Description The issue is caused by a bogus fanout parameter in the HAMT directory nodes, which can lead to panics and virtual memory leaks when trying to read malformed HAMT sharded directories. If untrusted user input is being read, an attacker can trigger a panic. This is a concern for users who are reading untrusted input.

Recommendations For versions prior to 1.5.2, users are advised to upgrade to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider limiting the fanout to <= 1024 to avoid attempts of arbitrary sized allocations. There are no known workarounds other than upgrading.