Skip to main content

go-ipld-prime EUVDEUVD-2026-32581

| CVE-2026-42328 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-07 https://github.com/ipld/go-ipld-prime GHSA-w239-58x2-q8p5
6.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 02:30 vuln.today
Analysis Generated
May 07, 2026 - 02:30 vuln.today
CVE Published
May 07, 2026 - 02:07 nvd
MEDIUM 6.2

DescriptionGitHub Advisory

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic).

For DAG-CBOR, a payload of approximately 2 MB, consisting of repeated 0x81 (array-of-1) bytes followed by a terminator, produces around 2 million recursion frames and reliably exhausts Go's default 1 GB goroutine stack. The existing allocation budget does not prevent this: each nested collection header costs only a handful of budget units, so the stack is exhausted before the budget is. DAG-JSON has equivalent exposure via [[[...]]]-style payloads; it has no budget system and is therefore unprotected against recursion depth as well.

Schema-free decoding (using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding bounds nesting only when the schema itself is non-recursive and contains no fields typed as Any; schemas with recursive type references or any Any-typed fields permit unconstrained nesting at those points.

The fix adds a configurable MaxDepth option to both decoders, defaulting to 1024 nested levels. The decoder returns ErrDecodeDepthExceeded when a payload nests beyond the limit. Well-formed IPLD data rarely approaches this depth in practice; the default is generous for legitimate use while preventing stack exhaustion.

AnalysisAI

Denial of service in go-ipld-prime's DAG-CBOR and DAG-JSON decoders via unbounded recursion depth allows remote attackers to exhaust goroutine stack memory by sending deeply nested collection payloads, causing the Go runtime to terminate with a fatal stack overflow. A ~2 MB DAG-CBOR payload with 2 million nested arrays reliably triggers the condition. Affected versions before 0.23.0 have no depth limit; the existing allocation budget cannot prevent stack exhaustion because each nested header consumes only a few budget units.

Technical ContextAI

go-ipld-prime is a Go implementation of IPLD (InterPlanetary Linked Data), a specification for content-addressed data structures. The vulnerability exists in the DAG-CBOR (CBOR-based DAG encoding) and DAG-JSON decoders, which recursively parse nested maps and lists without enforcing a maximum recursion depth. DAG-CBOR uses binary format (e.g., 0x81 for array-of-1), while DAG-JSON uses JSON arrays. The root cause is CWE-674 (Uncontrolled Recursion), exacerbated by two conditions: (1) Schema-free decoding via basicnode.Prototype.Any permits arbitrary nesting, and (2) Schema-bound decoding only bounds nesting when schemas are non-recursive and contain no Any-typed fields. The existing allocation budget mechanism is insufficient because it tracks heap allocation, not stack depth-each nested collection header costs only a handful of budget units, so the 1 GB default Go goroutine stack is exhausted before the budget limit is reached.

RemediationAI

Upgrade go-ipld-prime to version 0.23.0 or later, which introduces a configurable MaxDepth option (default 1024 levels) and returns ErrDecodeDepthExceeded when nesting exceeds the limit. In applications using go-ipld-prime prior to 0.23.0, implement input validation to reject DAG-CBOR or DAG-JSON payloads larger than ~100 KB before passing to the decoder, as deeply nested payloads reliably exploit this DoS. Alternatively, use schema-bound decoding with non-recursive schemas that contain no Any-typed fields-however, this is a weak compensating control because schema validation is application-specific. Set MaxDepth lower than the default (e.g., 256) if your application's legitimate use case involves shallow nesting, reducing the attacker's surface. Monitor for goroutine crashes in production; if go-ipld-prime processes untrusted IPFS or peer-provided data, prioritize upgrading to 0.23.0 immediately. See GitHub advisory GHSA-w239-58x2-q8p5 for details.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-32581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy