CVE-2022-23495: 
vulnerability analysis and mitigation

CVE-2022-23495 affects go-merkledag, a component that implements the 'DAGService' interface for the IPFS project. The vulnerability was discovered in versions from 0.4.0 to versions prior to 0.8.1, and was disclosed in December 2022. The issue involves a ProtoNode that can be modified to cause encode errors, triggering panics on common method calls that don't allow for error returns (GitHub Advisory).

The vulnerability stems from the ProtoNode's inability to properly handle certain states that would make it unencodeable. When conforming to the github.com/ipfs/go-block-format#Block and github.com/ipfs/go-ipld-format#Node interfaces, some methods that internally require a re-encode after state changes will panic due to the inability to return an error. Additionally, using ProtoNode#SetCidBuilder() with a non-functioning CidBuilder (such as one referencing an unavailable multihash implementation) can cause methods to panic when attempting to create a new CID (GitHub Advisory). The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability can cause service disruption through panics in the application when certain method calls are made. This affects the availability of systems using the affected versions of go-merkledag, particularly when handling ProtoNode modifications or when using certain CidBuilder configurations (GitHub Advisory).

Users are advised to upgrade to version 0.8.1 which contains the complete set of fixes. For users unable to upgrade, workarounds include sanitizing inputs when allowing user-input to set a new CidBuilder on a ProtoNode, and sanitizing Tsize (Link#Size) values to ensure reasonable byte-sizes for sub-DAGs derived from user-input. The fixes in v0.8.1 include additional checks on ProtoNode state changes, error returns instead of panics, and replacement of panics with default values (GitHub Release).