CVE-2023-25568: 
vulnerability analysis and mitigation

CVE-2023-25568 affects Boxo (formerly known as go-libipfs), a library for building IPFS applications and implementations, in versions 0.4.0 and 0.5.0. The vulnerability was disclosed on May 10, 2023, and allows attackers to allocate arbitrary amounts of memory in the Bitswap server through WANT_BLOCK and WANT_HAVE requests, with allocations persisting even after connection closure (GitHub Advisory).

The vulnerability stems from an unbounded queue in the Bitswap server that stores WANT_BLOCK and WANT_HAVE requests. The issue affects both users accepting untrusted connections with the Bitswap server and those using the old API stubs at github.com/ipfs/go-libipfs/bitswap. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) by NVD, while GitHub assigned it a score of 8.2 HIGH. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption) (NVD).

An attacker can exploit this vulnerability to cause a denial of service by allocating arbitrary amounts of memory in the Bitswap server. The allocations persist even after connection closure, potentially leading to resource exhaustion. The attack is particularly effective when using CIDs present in the target's blockstore, as this pushes longer-lasting jobs on priority queues (GitHub Advisory).

The vulnerability has been patched in Boxo versions 0.6.0 and 0.4.1. Key mitigations include limiting wantlist entries per peer (defaults to 1024), proper clearing of peer state on disconnection, ignoring CIDs above certain size (defaults to 168 bytes), and closing connections when inline CIDs are requested. For users not requiring server features, a workaround is available by refactoring code to use the new split API in client-only mode at github.com/ipfs/boxo/bitswap/client (GitHub Advisory).