Boxo, formerly known as go-libipfs, is a library for building IPFS applications and implementations. In versions 0.4.0 and 0.5.0, if an attacker is able allocate arbitrary many bytes in the Bitswap server, those allocations are lasting even if the connection is closed. This affects users accepting untrusted connections with the Bitswap server and also affects users using the old API stubs at `github.com/ipfs/go-libipfs/bitswap` because users then transitively import `github.com/ipfs/go-libipfs/bitswap/server`. Boxo versions 0.6.0 and 0.4.1 contain a patch for this issue. As a workaround, those who are using the stub object at `github.com/ipfs/go-libipfs/bitswap` not taking advantage of the features provided by the server can refactor their code to use the new split API that will allow them to run in a client only mode: `github.com/ipfs/go-libipfs/bitswap/client`.
                
            Metrics
Affected Vendors & Products
References
        History
                    Mon, 27 Jan 2025 22:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-05-10T00:00:00.000Z
Updated: 2025-02-13T16:44:30.783Z
Reserved: 2023-02-07T00:00:00.000Z
Link: CVE-2023-25568
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-08-02T11:25:19.272Z
 NVD
                        NVD
                    Status : Modified
Published: 2023-05-10T14:15:32.187
Modified: 2024-11-21T07:49:44.800
Link: CVE-2023-25568
 Redhat
                        Redhat
                    No data.