GHSA-F2GR-7299-487H

GHSA-F2GR-7299-487H is a medium-severity uncontrolled resource consumption vulnerability in github.com/ipfs/go-ipfs (go), affecting versions >= 0.5.0, < 0.13.1. It is fixed in 0.13.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

DOS and excessive memory usage when passing untrusted user input to to dag import

Forks

For those running on forked versions of go-ipfs, simply updating the version of github.com/ipld/go-car/v2 you are using to >= v2.4.0 should resolve the issue.

Libraries consumers

Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-car.

You can check if your Go module has a dependency on go-car by running a command such as go mod graph | grep go-car in your module root.

Note: if you are using other libraries, some parts of go-car (github.com/ipld/go-car/v2/index/...) have not fully been fixed yet. Please see go-car's security advisory for more information. go-ipfs do not make use of this code.

Workarounds

The best way to work around this is to control exposure to the HTTP RPC API endpoint for CAR imports to only work with trusted data.

You can also validate that the car will not crash go-ipfs by running car verify on it first (go install github.com/ipld/go-car/cmd/car@latest).

References

See also the go-car security advisory.

For more information

If you have any questions or comments about this advisory:

  1. Ask in the IPFS Discourse
  2. Ask in the IPFS Discord #ipld-chatter
  3. Open an issue in go-ipfs

Impact

go-ipfs nodes crash when trying to import certain malformed CAR files due to an issue in the go-car dependency. This impacts nodes running ipfs dag import on untrusted user inputs, for example, pinning services with a car ingest endpoint.
This include the corresponding HTTP RPC API v0/dag/import endpoint.

An attacker controlling the car file passed in can also make the node allocate arbitrary sized buffers creating memory exhaustion attacks.

Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service. Typical impact: denial of service.

Affected versions

github.com/ipfs/go-ipfs (>= 0.5.0, < 0.13.1)

Security releases

github.com/ipfs/go-ipfs → 0.13.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

0.13.1, 0.14 and later.

Frequently Asked Questions

  1. What is GHSA-F2GR-7299-487H? GHSA-F2GR-7299-487H is a medium-severity uncontrolled resource consumption vulnerability in github.com/ipfs/go-ipfs (go), affecting versions >= 0.5.0, < 0.13.1. It is fixed in 0.13.1. Crafted input forces the application to consume excessive CPU, memory, or other resources, degrading or denying service.
  2. Which versions of github.com/ipfs/go-ipfs are affected by GHSA-F2GR-7299-487H? github.com/ipfs/go-ipfs (go) versions >= 0.5.0, < 0.13.1 is affected.
  3. Is there a fix for GHSA-F2GR-7299-487H? Yes. GHSA-F2GR-7299-487H is fixed in 0.13.1. Upgrade to this version or later.
  4. Is GHSA-F2GR-7299-487H exploitable, and should I be worried? Whether GHSA-F2GR-7299-487H is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-F2GR-7299-487H is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-F2GR-7299-487H? Upgrade github.com/ipfs/go-ipfs to 0.13.1 or later.

Other vulnerabilities in github.com/ipfs/go-ipfs

Stop the waste.
Protect your environment with Kodem.