CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-CWPM-F78V-7M5C
Vulnerability from github – Published: 2022-05-24 22:10 – Updated: 2022-05-24 22:10Impact
The implementation of tf.ragged.constant does not fully validate the input arguments. This results in a denial of service by consuming all available memory:
import tensorflow as tf
tf.ragged.constant(pylist=[],ragged_rank=8968073515812833920)
Patches
We have patched the issue in GitHub commit bd4d5583ff9c8df26d47a23e508208844297310e.
The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported externally via a GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29202"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T22:10:51Z",
"nvd_published_at": "2022-05-20T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe implementation of [`tf.ragged.constant`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/ops/ragged/ragged_factory_ops.py#L146-L239) does not fully validate the input arguments. This results in a denial of service by consuming all available memory:\n\n```python\nimport tensorflow as tf\ntf.ragged.constant(pylist=[],ragged_rank=8968073515812833920)\n```\n \n### Patches\nWe have patched the issue in GitHub commit [bd4d5583ff9c8df26d47a23e508208844297310e](https://github.com/tensorflow/tensorflow/commit/bd4d5583ff9c8df26d47a23e508208844297310e).\n\nThe fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported externally via a [GitHub issue](https://github.com/tensorflow/tensorflow/issues/55199).\n",
"id": "GHSA-cwpm-f78v-7m5c",
"modified": "2022-05-24T22:10:51Z",
"published": "2022-05-24T22:10:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cwpm-f78v-7m5c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29202"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/issues/55199"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/bd4d5583ff9c8df26d47a23e508208844297310e"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/ops/ragged/ragged_factory_ops.py#L146-L239"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service in `tf.ragged.constant` due to lack of validation"
}
GHSA-CWQQ-W8C3-R2JW
Vulnerability from github – Published: 2019-08-23 00:04 – Updated: 2021-08-17 21:57MetadataExtractor 2.1.0 allows stack consumption.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.0"
},
"package": {
"ecosystem": "NuGet",
"name": "MetadataExtractor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14262"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2019-08-22T15:04:25Z",
"nvd_published_at": "2019-07-25T05:15:00Z",
"severity": "HIGH"
},
"details": "MetadataExtractor 2.1.0 allows stack consumption.",
"id": "GHSA-cwqq-w8c3-r2jw",
"modified": "2021-08-17T21:57:17Z",
"published": "2019-08-23T00:04:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14262"
},
{
"type": "WEB",
"url": "https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in MetadataExtractor"
}
GHSA-CX66-WGV6-FPFH
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.
{
"affected": [],
"aliases": [
"CVE-2024-9437"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:48Z",
"severity": "HIGH"
},
"details": "SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.",
"id": "GHSA-cx66-wgv6-fpfh",
"modified": "2025-03-20T12:32:51Z",
"published": "2025-03-20T12:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9437"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/27404e9c-eb3d-4626-a9d9-8dc1b3295ce0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CX8M-8XMX-Q8V3
Vulnerability from github – Published: 2018-10-10 17:25 – Updated: 2023-09-12 18:51Versions of memjs prior to 1.2.2 are vulnerable to Denial of Service (DoS). The package fails to sanitize the value option passed to the Buffer constructor, which may allow attackers to pass large values exhausting system resources.
Recommendation
Upgrade to version 1.2.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "memjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3767"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:33:11Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Versions of `memjs` prior to 1.2.2 are vulnerable to Denial of Service (DoS). The package fails to sanitize the `value` option passed to the Buffer constructor, which may allow attackers to pass large values exhausting system resources.\n\n\n## Recommendation\n\nUpgrade to version 1.2.2 or later.",
"id": "GHSA-cx8m-8xmx-q8v3",
"modified": "2023-09-12T18:51:51Z",
"published": "2018-10-10T17:25:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3767"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/319809"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-cx8m-8xmx-q8v3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in memjs"
}
GHSA-CXC2-V3V8-GGCP
Vulnerability from github – Published: 2022-07-12 00:00 – Updated: 2022-07-12 00:00In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.
{
"affected": [],
"aliases": [
"CVE-2022-30791"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-11T11:15:00Z",
"severity": "MODERATE"
},
"details": "In CmpBlkDrvTcp of CODESYS V3 in multiple versions an uncontrolled ressource consumption allows an unauthorized attacker to block new TCP connections. Existing connections are not affected.",
"id": "GHSA-cxc2-v3v8-ggcp",
"modified": "2022-07-12T00:00:57Z",
"published": "2022-07-12T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30791"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17128\u0026token=bee4d8a57f19be289d623ec90135493b5f9179e3\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CXJF-PR27-7Q48
Vulnerability from github – Published: 2022-08-05 00:00 – Updated: 2022-08-11 00:00In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2022-35241"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-04T18:15:00Z",
"severity": "MODERATE"
},
"details": "In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-cxjf-pr27-7q48",
"modified": "2022-08-11T00:00:31Z",
"published": "2022-08-05T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35241"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K37080719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXPW-2G23-2VGW
Vulnerability from github – Published: 2026-02-20 21:52 – Updated: 2026-02-23 22:30Vulnerability
The ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to chat.send.
Because ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.17 - Patched version:
2026.2.18(planned next release)
Impact
- Local ACP sessions may become less responsive when very large prompts are submitted
- Larger-than-expected model usage/cost when oversized text is forwarded
- No privilege escalation and no direct remote attack path in the default ACP model
Affected Components
src/acp/event-mapper.tssrc/acp/translator.ts
Remediation
- Enforce a 2 MiB prompt-text limit before concatenation
- Count inter-block newline separator bytes during pre-concatenation size checks
- Keep final outbound message-size validation before
chat.send - Avoid stale active-run session state when oversized prompts are rejected
- Add regression tests for oversize rejection and active-run cleanup
Fix Commit(s)
732e53151e8fbdfc0501182ddb0e900878bdc1e3ebcf19746f5c500a41817e03abecadea8655654a63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c
Thanks @aether-ai-agent for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.17"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27576"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-20T21:52:44Z",
"nvd_published_at": "2026-02-21T10:16:13Z",
"severity": "MODERATE"
},
"details": "## Vulnerability\n\nThe ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to `chat.send`.\n\nBecause ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.17`\n- Patched version: `2026.2.18` (planned next release)\n\n## Impact\n\n- Local ACP sessions may become less responsive when very large prompts are submitted\n- Larger-than-expected model usage/cost when oversized text is forwarded\n- No privilege escalation and no direct remote attack path in the default ACP model\n\n## Affected Components\n\n- `src/acp/event-mapper.ts`\n- `src/acp/translator.ts`\n\n## Remediation\n\n- Enforce a 2 MiB prompt-text limit before concatenation\n- Count inter-block newline separator bytes during pre-concatenation size checks\n- Keep final outbound message-size validation before `chat.send`\n- Avoid stale active-run session state when oversized prompts are rejected\n- Add regression tests for oversize rejection and active-run cleanup\n\n## Fix Commit(s)\n\n- `732e53151e8fbdfc0501182ddb0e900878bdc1e3`\n- `ebcf19746f5c500a41817e03abecadea8655654a`\n- `63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c`\n\nThanks @aether-ai-agent for reporting.",
"id": "GHSA-cxpw-2g23-2vgw",
"modified": "2026-02-23T22:30:08Z",
"published": "2026-02-20T21:52:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs"
}
GHSA-F2F8-4Q6M-2PW8
Vulnerability from github – Published: 2023-05-26 18:30 – Updated: 2024-04-04 04:21In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool.
{
"affected": [],
"aliases": [
"CVE-2023-20882"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-26T17:15:13Z",
"severity": "MODERATE"
},
"details": "In Cloud foundry routing release versions from 0.262.0 and prior to 0.266.0,a bug in the gorouter process can lead to a denial of service of applications hosted on Cloud Foundry. Under the right circumstances, when client connections are closed prematurely, gorouter marks the currently selected backend as failed and removes it from the routing pool.",
"id": "GHSA-f2f8-4q6m-2pw8",
"modified": "2024-04-04T04:21:08Z",
"published": "2023-05-26T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20882"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2023-20882-gorouter-pruning-via-client-disconnect-resulting-in-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2GQ-74F6-V2F7
Vulnerability from github – Published: 2023-11-10 06:30 – Updated: 2023-11-10 06:30IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service. IBM X-Force ID: 267965.
{
"affected": [],
"aliases": [
"CVE-2023-45167"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-10T04:15:07Z",
"severity": "MODERATE"
},
"details": "IBM AIX\u0027s 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service. IBM X-Force ID: 267965.",
"id": "GHSA-f2gq-74f6-v2f7",
"modified": "2023-11-10T06:30:18Z",
"published": "2023-11-10T06:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45167"
},
{
"type": "WEB",
"url": "https://aix.software.ibm.com/aix/efixes/security/python_advisory6.asc"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/267965"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7068084"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2GR-7299-487H
Vulnerability from github – Published: 2022-07-06 20:06 – Updated: 2022-07-06 20:06Impact
go-ipfs nodes crash when trying to import certain malformed CAR files due to an issue in the go-car dependency. This impacts nodes running ipfs dag import on untrusted user inputs, for example, pinning services with a car ingest endpoint.
This include the corresponding HTTP RPC API v0/dag/import endpoint.
An attacker controlling the car file passed in can also make the node allocate arbitrary sized buffers creating memory exhaustion attacks.
Patches
0.13.1, 0.14 and later.
Forks
For those running on forked versions of go-ipfs, simply updating the version of github.com/ipld/go-car/v2 you are using to >= v2.4.0 should resolve the issue.
Libraries consumers
Any users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-car.
You can check if your Go module has a dependency on go-car by running a command such as go mod graph | grep go-car in your module root.
Note: if you are using other libraries, some parts of go-car (github.com/ipld/go-car/v2/index/...) have not fully been fixed yet. Please see go-car's security advisory for more information. go-ipfs do not make use of this code.
Workarounds
The best way to work around this is to control exposure to the HTTP RPC API endpoint for CAR imports to only work with trusted data.
You can also validate that the car will not crash go-ipfs by running car verify on it first (go install github.com/ipld/go-car/cmd/car@latest).
References
See also the go-car security advisory.
For more information
If you have any questions or comments about this advisory: 1. Ask in the IPFS Discourse 1. Ask in the IPFS Discord #ipld-chatter 1. Open an issue in go-ipfs
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ipfs/go-ipfs"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T20:06:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\ngo-ipfs nodes crash when trying to import certain malformed CAR files due to an issue in the go-car dependency. This impacts nodes running `ipfs dag import` on untrusted user inputs, for example, pinning services with a car ingest endpoint.\nThis include the corresponding [HTTP RPC API `v0/dag/import`](https://docs.ipfs.io/reference/http/api/#api-v0-dag-import) endpoint.\n\nAn attacker controlling the car file passed in can also make the node allocate arbitrary sized buffers creating memory exhaustion attacks.\n\n### Patches\n0.13.1, 0.14 and later.\n\n#### Forks\nFor those running on forked versions of go-ipfs, simply updating the version of `github.com/ipld/go-car/v2` you are using to \u003e= v2.4.0 should resolve the issue.\n\n#### Libraries consumers\nAny users of libraries within the go-ipfs ecosystem, even if not the go-ipfs package or binary itself, may be affected and should upgrade their dependency on go-car.\n\nYou can check if your Go module has a dependency on go-car by running a command such as `go mod graph | grep go-car` in your module root.\n\nNote: if you are using other libraries, some parts of go-car (`github.com/ipld/go-car/v2/index/...`) have not fully been fixed yet. Please see [go-car\u0027s security advisory](https://github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg) for more information. go-ipfs do not make use of this code.\n\n### Workarounds\nThe best way to work around this is to control exposure to the [HTTP RPC API endpoint for CAR imports](https://docs.ipfs.io/reference/http/api/#api-v0-dag-import) to only work with trusted data.\n\nYou can also validate that the car will not crash go-ipfs by running `car verify` on it first (`go install github.com/ipld/go-car/cmd/car@latest`).\n\n### References\nSee also the [go-car security advisory](https://github.com/ipld/go-car/security/advisories/GHSA-9x4h-8wgm-8xfg).\n\n### For more information\nIf you have any questions or comments about this advisory:\n1. Ask in the [IPFS Discourse](discuss.ipfs.io/)\n1. Ask in the [IPFS Discord #ipld-chatter](https://discord.gg/ipfs)\n1. Open an issue in [go-ipfs](https://github.com/ipfs/go-ipfs)",
"id": "GHSA-f2gr-7299-487h",
"modified": "2022-07-06T20:06:56Z",
"published": "2022-07-06T20:06:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-f2gr-7299-487h"
},
{
"type": "PACKAGE",
"url": "https://github.com/ipfs/go-ipfs"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "DOS and excessive memory usage when passing untrusted user input to to dag import"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.