Listen to this Post
The vulnerability arises in DAG-CBOR and DAG-JSON decoders of the go-ipld-prime library, which recursively traverse nested maps or lists without enforcing a depth limit. An attacker can craft a payload with extremely deep nesting (e.g., repeating `0x81` bytes for CBOR or `[[[…]]]` for JSON). Each nesting level adds a new frame to the goroutine stack. Because Go’s default goroutine stack grows up to 1 GB, a payload of roughly 2 MB containing ~2 million nested structures triggers a fatal stack overflow – the runtime terminates the process, and this panic cannot be recovered with recover(). The existing allocation budget does not mitigate the issue, as each nested header consumes only a few budget units, so the stack overflows before the budget is exhausted. Schema-free decoding (basicnode.Prototype.Any) always permits arbitrary depth. Schema-bound decoding only prevents nesting if the schema is non‑recursive and lacks `Any` fields; recursive type references or `Any` fields allow unbounded nesting at those points. The fix introduces a configurable `MaxDepth` option (default 1024) to both decoders, returning `ErrDecodeDepthExceeded` when exceeded, which stops recursion and protects the process.
dailycve form (3 words max per line)
Platform: Go IPLD
Version: All prior
Vulnerability: Unbounded recursion depth
Severity: Critical
Date: 2026-05-07
Prediction: Patched v0.21.0
What Undercode Say:
Detect vulnerable depth limit (pre-fix)
echo -n -e '\x81' | { for i in {1..2000000}; do echo -n -e '\x81'; done; echo -n -e '\x40'; } > payload.cbor
Test stack overflow (requires vulnerable go-ipld-prime)
go run -exec 'ulimit -s unlimited' exploit.go payload.cbor
Exploit:
Attacker sends 2 MB CBOR payload with 2 million `0x81` (array‑of‑1) bytes + terminator, causing decoder recursion depth ~2M, exhausting 1 GB goroutine stack → process crash (DoS). Same with nested `[[[…]]]` JSON.
Protection from this CVE
Upgrade to go-ipld-prime >= v0.21.0. Set `MaxDepth` option (e.g., dagcbor.DecodeOptions{MaxDepth: 1024}). Use schemas without `Any` or recursive types when possible. Apply input validation to reject suspiciously nested data.
Impact
Remote denial‑of‑service (crash) via single crafted message. No memory corruption or RCE. Affects all services using vulnerable decoders on untrusted IPLD data (e.g., IPFS nodes, filecoin). Patch prevents stack overflow with configurable depth limit.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
