SUSE CVE-2026-42328

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the DAG-CBOR and DAG-JSON decoders. An attacker can cause a fatal stack overflow by submitting payloads with deeply nested collections. Remediation Upgrade github.com/ipld/go-ipld-prime/codec/dagcbor to...

CVE-2026-42328 go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

CVE-2026-42328 go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

CVE-2026-42328

CVE-2026-42328 : go-ipld-prime prior to 0.23.0 had unbounded recursion in the DAG-CBOR and DAG-JSON decoders when processing deeply nested maps/lists. Each nesting level increases the goroutine stack, potentially causing a fatal stack overflow. The issue is resolved by a fix in version 0.23.0 . I...

EUVD-2026-32581

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list...

go-ipld-prime 安全漏洞

go-ipld-prime is an implementation of the IPLD open-source specification interface. Versions of go-ipld-prime prior to 0.23.0 contained security vulnerabilities. These vulnerabilities stemmed from the DAG-CBOR and DAG-JSON decoders having no depth limit when decoding nested mappings or lists, whi...

GHSA-W239-58X2-Q8P5 go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...

go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...

SUSE CVE-2026-35480

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

CVE-2026-35480

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

CVE-2026-35480

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

CVE-2026-35480

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

CVE-2026-35480 go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

CVE-2026-35480

CVE-2026-35480 affects the go-ipld-prime project, specifically the DAG-CBOR decoder. Prior to version 0.22.0, the decoder uses collection size hints from CBOR headers as preallocation hints for maps and lists without capping them or accounting for their cost in its allocation budget. This can lea...

CVE-2026-35480 go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers

go-ipld-prime is an implementation of the InterPlanetary Linked Data IPLD spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers a...

go-ipld-prime 安全漏洞

go-ipld-prime is an implementation of the IPLD open-source specification interface. Versions of go-ipld-prime prior to 0.22.0 contained security vulnerabilities. These vulnerabilities stemmed from the DAG-CBOR decoder using the set size declared in the CBOR header as a hint for Go’s pre-allocatio...

go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers

The DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. A CBOR map or list header c...

Malicious code in xs-js-ipld-dag-cbor (npm)

The package xs-js-ipld-dag-cbor was found to contain malicious code...

MAL-2025-39993 Malicious code in xs-js-ipld-dag-cbor (npm)

The package xs-js-ipld-dag-cbor was found to contain malicious code...