CVE-2026-42328

Name of the Vulnerable Software and Affected Versions go-ipld-prime versions prior to 0.23.0

Description The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow. For DAG-CBOR, a payload of approximately 2 MB consisting of repeated 0x81 bytes followed by a terminator can exhaust the default 1 GB goroutine stack. DAG-JSON is similarly exposed via [[[...]]]-style payloads. Schema-free decoding using basicnode.Prototype.Any allows arbitrary nesting depth, while schema-bound decoding only limits nesting if the schema is non-recursive and contains no fields typed as Any.

Recommendations Update to version 0.23.0.