The vulnerability arises from the DAG-CBOR and DAG-JSON decoders in go-ipld-prime recursively processing each nested map or list without imposing a depth limit. A specially crafted payload with deeply nested collections forces the decoder to recurse once per level, eventually exhausting the goroutine stack and causing the Go runtime to terminate the process with a fatal stack overflow. The result is a denial‑of‑service condition, as the affected service crashes and must be restarted.

Affected products include the go-ipld-prime library provided by ipld. All releases prior to version 0.23.0 are vulnerable. Applications that import and use the DAG-CBOR or DAG-JSON decoders with user‑supplied data are susceptible. The issue is mitigated by upgrading to 0.23.0 or later.

The CVSS score of 6.2 reflects a moderate severity denial of service. There is no EPSS score available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is the processing of an attacker‑crafted payload that is deserialized by the library; if the library is part of a publicly exposed service, the exploit can be executed remotely. Because the problem is a lack of recursion depth limiting, an attacker can induce a stack overflow by sending sufficiently large, deeply nested inputs. No user‑local exploitation is required unless the vulnerable component is reachable.