HIGH🇬🇧 English

CVE-2023-40583

CVSS 7.5v3.1pub. 2023-08-25upd. 2024-11-21

libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Protocol Libp2p

    APP
    Protocol
    < 0.27.4
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-35405HIGH7.5ten sam produkt

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp...

CVE-2026-35457HIGH8.2ten sam produkt

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the ...

CVE-2022-23492HIGH7.5ten sam produkt

go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of g...

CVE-2022-23486HIGH7.5ten sam produkt

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to ...

CVE-2022-23487HIGH7.5ten sam produkt

js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` ...

CVE-2023-40583 — HIGH 7.5 | CVEbaza.pl