CVE-2023-26248

Vulnerability

CVE-2023-26248 affects the Kademlia DHT implementation in go-libp2p-kad-dht (0.20.0 and earlier) and IPFS (0.18.1 and earlier). The DHT assigns routing information for content to peers whose peer IDs have a small XOR distance from the content ID. This deterministic mapping allows an attacker to generate many Sybil peers with IDs close to a target content ID, thereby monopolizing the set of peers responsible for storing that content's provider records [1][4].

Exploitation

An attacker can exploit this by creating a large number of Sybil (fake) peers in the IPFS network. The adversary only needs to generate peer IDs that are a small DHT distance from the content ID they wish to censor. The attack is practical with minimal effort and cost—research estimates it can be executed for under $100, requiring only a modest number of Sybil nodes to succeed [4]. The attack does not require prior authentication or special privileges beyond the ability to join the IPFS network.

Impact

Successful exploitation allows the attacker to hijack the content resolution process. When other peers request the provider records for a targeted content ID, the attacker's Sybil nodes respond, preventing legitimate providers from being discovered. This effectively censors the content, making it unreachable via the DHT. The attack undermines IPFS's core promise of decentralized, resilient content retrieval [1][4].

Mitigation

The vulnerability has been addressed in later versions of both go-libp2p-kad-dht and IPFS. A Go vulnerability entry (GO-2024-3218) references the issue [3]. The research paper proposes effective detection and mitigation mechanisms achieving 100% mitigation of detected attacks with minimal overhead [4]. Users are advised to update to patched versions (go-libp2p-kad-dht beyond 0.20.0 and IPFS beyond 0.18.1) as soon as possible.