Protocol Boxo 0.5.0 for Go
Approved changes feed: RSS · Atom
cpe:2.3:a:protocol:boxo:0.5.0:*:*:*:*:go:*:*
part: a version: 0.5.0 update: *
| Vendor | Protocol (f2b98f42-7d41-5397-b702-40a5f7aae0b0) |
|---|---|
| Product | Boxo (2603d660-94cc-52f8-856e-5c334d99f12c) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | go |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-25568 |
vulnerable | 2026-06-03 14:49:32.944564 |
Boxo bitswap/server: DOS unbounded persistent memory leak
HIGH (8.2)
Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.
Published: 2023-05-10T00:00:00.000Z
Updated: 2025-02-13T16:44:30.783Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.