{"id":"GO-2022-1155","summary":"Panic in github.com/ipfs/go-merkledag","details":"A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns.\n\nAdditionally, use of the ProtoNode.SetCidBuilder() method to set non-functioning CidBuilder (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.","aliases":["CVE-2022-23495","GHSA-x39j-h85h-3f46"],"modified":"2026-03-17T04:29:16.619483Z","published":"2022-12-22T17:41:44Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-1155","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/ipfs/go-merkledag/security/advisories/GHSA-x39j-h85h-3f46"},{"type":"REPORT","url":"https://github.com/ipfs/kubo/issues/9297"},{"type":"REPORT","url":"https://github.com/ipfs/go-merkledag/issues/90"},{"type":"FIX","url":"https://github.com/ipfs/go-merkledag/pull/91"},{"type":"FIX","url":"https://github.com/ipfs/go-merkledag/pull/92"},{"type":"FIX","url":"https://github.com/ipfs/go-merkledag/pull/93"}],"affected":[{"package":{"name":"github.com/ipfs/go-merkledag","ecosystem":"Go","purl":"pkg:golang/github.com/ipfs/go-merkledag"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.4.0"},{"fixed":"0.8.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["ProtoNode.AddNodeLink","ProtoNode.AddRawLink","ProtoNode.AsBool","ProtoNode.AsBytes","ProtoNode.AsFloat","ProtoNode.AsInt","ProtoNode.AsLink","ProtoNode.AsString","ProtoNode.Cid","ProtoNode.EncodeProtobuf","ProtoNode.IsAbsent","ProtoNode.IsNull","ProtoNode.Kind","ProtoNode.Length","ProtoNode.ListIterator","ProtoNode.Loggable","ProtoNode.LookupByIndex","ProtoNode.LookupByNode","ProtoNode.LookupBySegment","ProtoNode.LookupByString","ProtoNode.MapIterator","ProtoNode.Marshal","ProtoNode.Multihash","ProtoNode.RawData","ProtoNode.SetCidBuilder","ProtoNode.SetLinks","ProtoNode.Size","ProtoNode.Stat","ProtoNode.String","ProtoNode.UnmarshalJSON","ProtoNode.UpdateNodeLink","ProtoNode.marshalImmutable"],"path":"github.com/ipfs/go-merkledag"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-1155.json"}}],"schema_version":"1.7.5","credits":[{"name":"@mrd0ll4r (https://github.com/mrd0ll4r)"}]}