CVE-2026-35480: CWE-770: Allocation of Resources Without Limits or Throttling in ipld go-ipld-prime
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
AI Analysis
Technical Summary
The go-ipld-prime library, implementing IPLD interfaces and codecs for CBOR and JSON, had a vulnerability in its DAG-CBOR decoder before version 0.22.0. The decoder used collection sizes declared in CBOR headers as preallocation hints for maps and lists but did not cap these size hints or consider their memory cost. This allowed crafted small payloads to trigger excessive memory allocation, potentially leading to denial of service due to resource exhaustion. The issue is addressed by limiting or properly handling these size hints starting from version 0.22.0.
Potential Impact
An attacker can cause excessive memory allocation by sending small but specially crafted CBOR payloads, leading to denial of service conditions due to resource exhaustion. There is no impact on confidentiality or integrity. The CVSS score is 6.2 (medium severity) with an attack vector limited to local access, low complexity, no privileges required, no user interaction, and impact limited to availability.
Mitigation Recommendations
Upgrade go-ipld-prime to version 0.22.0 or later where this vulnerability is fixed. Since no official patch link or vendor advisory is provided, verify the upgrade from the official ipld project sources. Until upgraded, avoid processing untrusted CBOR payloads with vulnerable versions to reduce risk.
CVE-2026-35480: CWE-770: Allocation of Resources Without Limits or Throttling in ipld go-ipld-prime
Description
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declared in CBOR headers as Go preallocation hints for maps and lists. The decoder does not cap these size hints or account for their cost in its allocation budget, allowing small payloads to cause excessive memory allocation. This vulnerability is fixed in 0.22.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The go-ipld-prime library, implementing IPLD interfaces and codecs for CBOR and JSON, had a vulnerability in its DAG-CBOR decoder before version 0.22.0. The decoder used collection sizes declared in CBOR headers as preallocation hints for maps and lists but did not cap these size hints or consider their memory cost. This allowed crafted small payloads to trigger excessive memory allocation, potentially leading to denial of service due to resource exhaustion. The issue is addressed by limiting or properly handling these size hints starting from version 0.22.0.
Potential Impact
An attacker can cause excessive memory allocation by sending small but specially crafted CBOR payloads, leading to denial of service conditions due to resource exhaustion. There is no impact on confidentiality or integrity. The CVSS score is 6.2 (medium severity) with an attack vector limited to local access, low complexity, no privileges required, no user interaction, and impact limited to availability.
Mitigation Recommendations
Upgrade go-ipld-prime to version 0.22.0 or later where this vulnerability is fixed. Since no official patch link or vendor advisory is provided, verify the upgrade from the official ipld project sources. Until upgraded, avoid processing untrusted CBOR payloads with vulnerable versions to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T20:49:44.453Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d51c3eaaed68159a2c1617
Added to database: 4/7/2026, 3:01:18 PM
Last enriched: 4/7/2026, 3:18:13 PM
Last updated: 4/8/2026, 12:43:25 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.