Denial of service in HAMT Decoding in go-unixfs
Description
Malformed HAMT sharded directories with bogus fanout values trigger panic and virtual memory leaks in go-unixfs before 0.4.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Malformed HAMT sharded directories with bogus fanout values trigger panic and virtual memory leaks in go-unixfs before 0.4.3.
Vulnerability
Description
CVE-2023-23625 is a denial-of-service vulnerability in the go-unixfs package, which implements a unix-like filesystem on top of an IPLD MerkleDAG. The issue arises when decoding HAMT (Hash Array Mapped Trie) sharded directory nodes that contain a malformed fanout parameter. Processing such specially crafted nodes can cause panics (runtime crashes) and virtual memory leaks in the consuming application [1][4].
Attack
Vector and Prerequisites
Exploitation requires the attacker to supply untrusted user input—specifically, a malformed HAMT sharded directory—to a program that uses go-unixfs to decode it. No authentication is mentioned as a prerequisite; the attack surface is present wherever untrusted data is fed to the decoding functions. The attacker does not need special network access beyond the ability to deliver the malicious input to the target process [1].
Impact
A successful exploit leads to a panic (crash) of the application, effectively causing a denial of service. Additionally, the virtual memory leak can gradually exhaust system resources, potentially degrading performance or leading to further instability. There is no indication of remote code execution or data corruption [1][4].
Mitigation and
Remediation
The vulnerability is fixed in go-unixfs version 0.4.3, released on 2023-02-09. Users should upgrade to this version or later. For those unable to upgrade, the advisory recommends not feeding untrusted user data to the decoding functions as a workaround. Note that the go-unixfs repository has been archived and is no longer maintained; users are advised to migrate to the maintained version at the boxo repository [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ipfs/go-unixfsGo | < 0.4.3 | 0.4.3 |
Affected products
2- Range: < 0.4.3
Patches
1467d139a640eMerge pull request from GHSA-q264-w97q-q778
5 files changed · +27 −11
go.mod+1 −1 modified@@ -3,7 +3,7 @@ module github.com/ipfs/go-unixfs require ( github.com/alecthomas/units v0.0.0-20210927113745-59d0afb8317a github.com/gogo/protobuf v1.3.2 - github.com/ipfs/go-bitfield v1.0.0 + github.com/ipfs/go-bitfield v1.1.0 github.com/ipfs/go-block-format v0.0.3 github.com/ipfs/go-blockservice v0.2.1 github.com/ipfs/go-cid v0.3.2
go.sum+2 −2 modified@@ -244,8 +244,8 @@ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANyt github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= github.com/ipfs/bbloom v0.0.4 h1:Gi+8EGJ2y5qiD5FbsbpX/TMNcJw8gSqr7eyjHa4Fhvs= github.com/ipfs/bbloom v0.0.4/go.mod h1:cS9YprKXpoZ9lT0n/Mw/a6/aFV6DTjTLYHeA+gyqMG0= -github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ= -github.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus= +github.com/ipfs/go-bitfield v1.1.0 h1:fh7FIo8bSwaJEh6DdTWbCeZ1eqOaOkKFI74SCnsWbGA= +github.com/ipfs/go-bitfield v1.1.0/go.mod h1:paqf1wjq/D2BBmzfTVFlJQ9IlFOZpg422HL0HqsGWHU= github.com/ipfs/go-bitswap v0.5.1 h1:721YAEDBnLIrvcIMkCHCdqp34hA8jwL9yKMkyJpSpco= github.com/ipfs/go-bitswap v0.5.1/go.mod h1:P+ckC87ri1xFLvk74NlXdP0Kj9RmWAh4+H78sC6Qopo= github.com/ipfs/go-block-format v0.0.2/go.mod h1:AWR46JfpcObNfg3ok2JHDUfdiHRgWhJgCQF+KIgOPJY=
hamt/hamt.go+18 −4 modified@@ -106,12 +106,16 @@ func makeShard(ds ipld.DAGService, size int, key string, val *ipld.Link) (*Shard if err != nil { return nil, err } + childer, err := newChilder(ds, size) + if err != nil { + return nil, err + } maxpadding := fmt.Sprintf("%X", size-1) s := &Shard{ tableSizeLg2: lg2s, prefixPadStr: fmt.Sprintf("%%0%dX", len(maxpadding)), maxpadlen: len(maxpadding), - childer: newChilder(ds, size), + childer: childer, tableSize: size, dserv: ds, @@ -765,11 +769,21 @@ type childer struct { children []*Shard } -func newChilder(ds ipld.DAGService, size int) *childer { +const maximumHamtWidth = 1 << 10 // FIXME: Spec this and decide of a correct value + +func newChilder(ds ipld.DAGService, size int) (*childer, error) { + if size > maximumHamtWidth { + return nil, fmt.Errorf("hamt witdh (%d) exceed maximum allowed (%d)", size, maximumHamtWidth) + } + bf, err := bitfield.NewBitfield(size) + if err != nil { + return nil, err + } + return &childer{ dserv: ds, - bitfield: bitfield.NewBitfield(size), - } + bitfield: bf, + }, nil } func (s *childer) makeChilder(data []byte, links []*ipld.Link) *childer {
hamt/hamt_test.go+5 −3 modified@@ -737,8 +737,10 @@ func BenchmarkHAMTSet(b *testing.B) { } func TestHamtBadSize(t *testing.T) { - _, err := NewShard(nil, 7) - if err == nil { - t.Fatal("should have failed to construct hamt with bad size") + for _, size := range [...]int{-8, 7, 2, 1337, 1024 + 8, -3} { + _, err := NewShard(nil, size) + if err == nil { + t.Error("should have failed to construct hamt with bad size: %d", size) + } } }
version.json+1 −1 modified@@ -1,3 +1,3 @@ { - "version": "v0.4.2" + "version": "v0.4.3" }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q264-w97q-q778ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23625ghsaADVISORY
- github.com/ipfs/go-unixfs/commit/467d139a640ecee4f2e74643dafcc58bb3b54175ghsax_refsource_MISCWEB
- github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2023-1557ghsaWEB
News mentions
0No linked articles in our index yet.