CVE-2026-42328
6.2 MEDIUMgo-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations o...
Published: 2026-05-27 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 6.2 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-674
Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2025-7010 — Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Serv... (5.5 MEDIUM)
- CVE-2025-7005 — Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the anti... (5.5 MEDIUM)
- CVE-2026-4870 — IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontr... (7.5 HIGH)
- CVE-2026-48734 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-46557 — ImageMagick is free and open-source software used for editing and manipulating digital images (6.2 MEDIUM)