CVE-2023-25568

Name of the Vulnerable Software and Affected Versions Boxo versions 0.4.0 through 0.5.0

Description An attacker can cause a Bitswap server to allocate and leak unbounded amounts of memory by sending many WANT BLOCK and or WANT HAVE requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at github.com/ipfs/go-libipfs/bitswap because users then transitively import github.com/ipfs/go-libipfs/bitswap/server.

Recommendations Update Boxo to version 0.6.0 or later Update Boxo to version 0.4.1 As a temporary workaround, consider refactoring your code to use the new split API that will allow you to run in a client-only mode using: github.com/ipfs/boxo/bitswap/client. The server now limits how many wantlist entries per peer it knows, and this can be configured using the MaxQueuedWantlistEntriesPerPeer option. The server now properly clears state about peers when they disconnect. The server now ignores CIDs above some size, and this can be configured using the MaxCidSize option. The server now closes the connection if an inline CID is requested.