We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-40583

libp2p nodes vulnerable to OOM attack



Description

libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.

Reserved 2023-08-16 | Published 2023-08-25 | Updated 2024-10-02 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

< 0.27.4
affected

References

github.com/...libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3

github.com/...ommit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd

github.com/libp2p/go-libp2p/releases/tag/v0.27.4

github.com/libp2p/go-libp2p/releases/tag/v0.27.7

cve.org (CVE-2023-40583)

nvd.nist.gov (CVE-2023-40583)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-40583

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.