CVE-2023-23626 Information

Description

go-bitfield is a simple bitfield package for the go language aiming to be more performant that the standard library. When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions an attacker can trigger panics. This happen when the size is a not a multiple of 8 or is negative. There were already a note in the NewBitfield documentation however known users of this package are subject to this issue. Users are advised to upgrade. Users unable to upgrade should ensure that size is a multiple of 8 before calling NewBitfield or FromBytes.

Reference

https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579 https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r