CVE-2022-23492

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large...

GHSA-MQR9-HJR8-2M9W Content Censorship in the InterPlanetary File System (IPFS) via Kademlia DHT abuse

The Kademlia DHT go-libp2p-kad-dht 0.20.0 and earlier used in IPFS 0.18.1 and earlier assigns routing information for content i.e., information about who holds the content to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content...

CVE-2023-26248

The Kademlia DHT go-libp2p-kad-dht 0.20.0 and earlier used in IPFS 0.18.1 and earlier assigns routing information for content i.e., information about who holds the content to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an attacker to censor content...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to resource exhaustion attack due to github.com/Cloudflare/cfssl ( CVE-2023-39533 )

Summary github.com/Cloudflare/cfssl is used by IBM Cloud Pak for Data. CVE-2023-39533. Vulnerability Details CVEID:CVE-2023-39533 DESCRIPTION: libp2p go-libp2p is vulnerable to a denial of service, caused by a flaw during the signature verification. By sending a specially crafted request using...

Security Bulletin: IBM Planning Analytics Cartridge for IBM Cloud Pak for Data 4.8.0 has addressed security vulnerabilities

Summary IBM Planning Analytics Cartridge for IBM Cloud Pak for Data 4.8.0 resolves vulnerabilities in Golang Go, Gin-Gonic Gin and libp2p go-libp2p. A vulnerability where sensitive information could be shared due to insecure network communication has also been addressed. Please refer to the table...

CVE-2023-39533

A flaw was found in the go-libp2p package. A malicious peer can use large RSA keys to run a resource exhaustion attack and force a node to spend time doing signature verification of the large key. This issue is present in the core/crypto module of go-libp2p and can occur during the Noise handshak...

CVE-2023-40583

CVE-2023-40583 affects go-libp2p (libp2p Go implementation). A malicious actor can inject signed peer records to a remote node, causing unbounded memory growth in the victim’s node and eventual crash due to out-of-memory (OOM). The issue is explicitly documented as memory retention with no automa...

CVE-2023-40583 libp2p nodes vulnerable to OOM attack

libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and...

go-libp2p 资源管理错误漏洞

go-libp2p is the libp2p implementation in Go. A resource management error vulnerability exists in go-libp2p 0.27.3 and earlier versions, which stems from a vulnerability that allows an attacker to store an arbitrary amount of data in a remote node's memory using signed peer records...

libp2p nodes vulnerable to OOM attack

Summary In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. It is feasible to do this at scale. An attacker would have to transfe...

GHSA-GCQ9-QQWX-RGJ3 libp2p nodes vulnerable to OOM attack

Summary In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. It is feasible to do this at scale. An attacker would have to transfe...

PT-2023-27520 · Go-Libp2P · Go-Libp2P

Name of the Vulnerable Software and Affected Versions: go-libp2p versions prior to 0.27.4 go-libp2p versions prior to 0.30.0 Description: A malicious actor can store an arbitrary amount of data in a remote node's memory by sending the node a message with a signed peer record. This memory does not...

libp2p nodes vulnerable to attack using large RSA keys

Impact A malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extensio...

GHSA-876P-8259-XJGG libp2p nodes vulnerable to attack using large RSA keys

Impact A malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extensio...

AZL-27875 CVE-2023-39533 affecting package msft-golang for versions less than 1.19.12-1

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

CVE-2023-39533

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

AZL-37422 CVE-2023-39533 affecting package golang for versions less than 1.21.6-1

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

AZL-79074 CVE-2023-39533 affecting package golang 1.25.7-1

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

Design/Logic Flaw

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

CVE-2023-39533

CVE-2023-39533 affects the Go libp2p core/crypto implementation (Noise handshake and x509 verification) where malicious peers can force a resource exhaustion by using large RSA keys. The issue is mitigated by restricting RSA keys to