Login Sign Up

CVE-2020-26279

7.7 HIGH
Path Traversal

📋 TL;DR

CVE-2020-26279 is a path traversal vulnerability in go-ipfs that allows attackers to overwrite files or write to incorrect directories when retrieving DAGs containing relative paths. This affects users running go-ipfs versions before 0.8.0-rc1 who retrieve untrusted DAGs. The vulnerability can lead to arbitrary file write and potential system compromise.

💻 Affected Systems

Products:
  • go-ipfs
Versions: All versions before 0.8.0-rc1
Operating Systems: All platforms running go-ipfs
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects DAG retrieval operations; requires retrieving malicious DAGs containing relative paths.

📦 What is this software?

Go Ipfs by Protocol

View all CVEs affecting Go Ipfs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file overwrite leading to remote code execution or data destruction.

🟠

Likely Case

Local file corruption, data loss, or unauthorized file writes to sensitive directories.

🟢

If Mitigated

Limited to controlled directories with proper file permissions and sandboxing.

🌐 Internet-Facing: MEDIUM - Requires retrieving malicious DAGs from untrusted sources, but IPFS nodes often interact with external peers.
🏢 Internal Only: LOW - Internal-only nodes with trusted DAG sources are less likely to be affected.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the victim to retrieve a specially crafted DAG from an attacker-controlled source.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.0-rc1 and later

Vendor Advisory: https://github.com/ipfs/go-ipfs/security/advisories/GHSA-27pv-q55r-222g

Restart Required: Yes

Instructions:

1. Stop the go-ipfs service. 2. Update to version 0.8.0-rc1 or later using your package manager or from GitHub releases. 3. Restart the go-ipfs service.

🔧 Temporary Workarounds

Restrict DAG sources

all

Only retrieve DAGs from trusted sources and peers.

Run with restricted permissions

linux

Run go-ipfs with minimal file system permissions using containerization or user isolation.

docker run --read-only -v /ipfs-data:/data ipfs/go-ipfs

🧯 If You Can't Patch

  • Implement strict network controls to only allow DAG retrieval from trusted sources.
  • Run go-ipfs in a sandboxed environment with restricted file system access.

🔍 How to Verify

Check if Vulnerable:

Check go-ipfs version: if version is below 0.8.0-rc1, the system is vulnerable.

Check Version:

ipfs version

Verify Fix Applied:

After updating, verify version is 0.8.0-rc1 or higher and test DAG retrieval with known safe sources.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write patterns during DAG retrieval
  • Errors related to path resolution in go-ipfs logs

Network Indicators:

  • Retrieval of DAGs from unknown or untrusted peers

SIEM Query:

source="go-ipfs" AND ("path traversal" OR "relative path" OR "DAG retrieval error")

📊 Metadata

CVE ID: CVE-2020-26279
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-22
Published: March 24, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26279, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)