go-ipld-prime/codec/json may panic if asked to encode bytes

GHSA-c653-6hhg-9x92 · CVE-2023-22460 · GO-2023-1269

Published Jan 5, 2023 · Modified Nov 8, 2023

Description

go-ipld-prime is a series of Go interfaces for manipulating IPLD data and a Go module that contains the go-ipld-prime/codec/json codec.

Impact

Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encoding should be treated as an error, as plain JSON should not be able to encode Bytes.

This only impacts uses of the "json" codec, "dag-json" is not impacted. Use of "json" as a decoder is not impacted.

Patches

Fixed in v0.19.0.

Workarounds

Prefer the "dag-json" codec which has the ability to encode bytes.

References

See fix in #472

References

WEB https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-c653-6hhg-9x92
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-22460
WEB https://github.com/ipld/go-ipld-prime/pull/472
WEB https://github.com/ipld/go-ipld-prime/commit/146d1c8529676fe9ee0604f014656af2395505fc
PACKAGE https://github.com/ipld/go-ipld-prime
WEB https://github.com/ipld/go-ipld-prime/releases/tag/v0.19.0
WEB https://pkg.go.dev/vuln/GO-2023-1269

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes