GHSA-qvqg-6rp8-4p9h: 
vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability was discovered in the Bitswap server component of IPFS Kubo (formerly go-ipfs) and Boxo (formerly go-libipfs), identified as GHSA-qvqg-6rp8-4p9h and CVE-2023-25568. The vulnerability affects Kubo versions prior to 0.19.0 and Boxo versions 0.4.0 and 0.5.0, and was disclosed on May 10, 2023. The vulnerability has been assigned a CVSS score of 5.3 (Moderate severity) (GitHub Advisory).

The vulnerability allows attackers to allocate arbitrary amounts of memory in the Bitswap server by sending multiple WANTBLOCK and WANTHAVE requests that are queued in an unbounded queue. These allocations persist even after the connection is closed. The issue affects systems accepting or connecting to untrusted connections, particularly when running in the public swarm without pnet configuration. The vulnerability is especially concerning because libp2p connections are bidirectionally blind, meaning nodes that aren't publicly reachable but connect to untrusted nodes are also vulnerable (GitHub Advisory, Boxo Advisory).

The vulnerability can lead to uncontrolled resource consumption and potential denial of service through memory exhaustion. The attack is particularly effective when targeting CIDs present in the target's blockstore, as this pushes longer-lasting jobs onto priority queues. The CVSS metrics indicate no impact on confidentiality or integrity, but a low impact on availability (GitHub Advisory).

Several mitigations have been implemented in the patched versions, including limiting wantlist entries per peer to 1024, proper clearing of peer state on disconnection, ignoring CIDs above 168 bytes, and closing connections when inline CIDs are requested. Users are advised to upgrade to Kubo version 0.19.0 or later, or Boxo version 0.6.0 or 0.4.1. Alternative workarounds include using PNET, implementing swarm filters, or configuring resource manager allow lists to block untrusted connections (Boxo Advisory).