CVE-2023-26248

Name of the Vulnerable Software and Affected Versions go-libp2p-kad-dht versions 0.20.0 and earlier IPFS versions 0.18.1 and earlier

Description The issue allows an attacker to censor content in the InterPlanetary File System (IPFS) by exploiting the Kademlia DHT. This is done by generating many Sybil peers whose peer IDs have a small DHT distance from the content ID, thus hijacking the content resolution process.

Recommendations For go-libp2p-kad-dht versions 0.20.0 and earlier, consider updating to a version that does not use the vulnerable Kademlia DHT implementation. For IPFS versions 0.18.1 and earlier, consider updating to a version that does not use the vulnerable go-libp2p-kad-dht library. As a temporary workaround, consider restricting the ability to generate many Sybil peers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.