CVE-2020-10937
Description
An eclipse attack using Sybil identities on IPFS nodes before version 0.7 allows an attacker to poison routing tables and isolate targeted peers from the network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An eclipse attack using Sybil identities on IPFS nodes before version 0.7 allows an attacker to poison routing tables and isolate targeted peers from the network.
CVE-2020-10937 affects go-ipfs version 0.4.23. The vulnerability allows an attacker to generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison the routing tables of other nodes. This eclipses the targeted nodes, isolating them from the rest of the network. [1]
An attacker can exploit this by creating a large number of pseudonymous Peer IDs, which are used to subvert the libp2p reputation system. The attack manipulates the targeted node's DHT routing table so that only attacker-controlled peers are present. No authentication or prior access is required, as the attack is performed externally over the network. [2]
The impact of a successful eclipse attack is that the victim node is effectively cut off from legitimate peers. The attacker can then censor or manipulate the content that the targeted node can retrieve, and may be able to conduct further attacks such as routing or data injection. The vulnerability is rated with a critical CVSS score. [1]
Mitigations were released incrementally in go-ipfs versions 0.5, 0.6, and 0.7, with version 0.7 fully mitigating the original attack. The fix involved hardening the DHT routing and raising the cost of Sybil attacks. Users should upgrade to go-ipfs 0.7 or later. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ipfs/go-ipfsGo | < 0.7.0 | 0.7.0 |
Affected products
2- IPFS/go-ipfsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-r23h-3jmw-q7hrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-10937ghsaADVISORY
- blog.ipfs.io/2020-10-30-dht-hardeningghsaWEB
- blog.ipfs.io/2020-10-30-dht-hardening/mitrex_refsource_MISC
- graz.pure.elsevier.com/en/publications/total-eclipse-of-the-heart-disrupting-the-interplanetary-file-sysghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.