GHSA-q3j6-22wf-3jh9: 
vulnerability analysis and mitigation

GHSA-q3j6-22wf-3jh9 (CVE-2023-25568) affects github.com/ipfs/go-bitswap versions prior to v0.12.0, discovered and disclosed on May 10, 2023. This vulnerability is a DOS unbounded persistent memory leak that affects the Bitswap server component. The package has been moved to github.com/ipfs/boxo/bitswap, where the vulnerability continues to be tracked (GitHub Advisory).

The vulnerability allows an attacker to allocate arbitrary amounts of bytes in the Bitswap server by sending multiple WANTBLOCK and WANTHAVE requests that are queued in an unbounded queue. These allocations persist even after connection closure. The vulnerability has a CVSS v3.1 score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue particularly affects users accepting untrusted connections with the Bitswap server and those using the old API stubs (NIST NVD, Boxo Advisory).

The vulnerability enables attackers to cause denial of service through unbounded memory consumption. The attack is particularly effective when performed with CIDs present in the target's blockstore, as this pushes longer-lasting jobs on priority queues. The impact is amplified because the allocations persist even after the connection is terminated (Boxo Advisory).

Several mitigations have been implemented: 1) The server now limits wantlist entries per peer to 1024 by default, 2) Peer state is properly cleared on disconnection, 3) CIDs above 168 bytes are ignored, and 4) Connections are closed if inline CIDs are requested. Users can upgrade to boxo v0.6.0 or later, or v0.4.1 (note that v0.5.0 is not safe). For those using go-bitswap stubs without server features, they can refactor to use client-only mode with github.com/ipfs/boxo/bitswap/client (Boxo Advisory).