Vulnerability Report: GO-2022-1148

CVE-2022-23492, GHSA-j7qp-mfxf-8xjw
Affects: github.com/libp2p/go-libp2p
Published: Dec 14, 2022
Modified: May 20, 2024

go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p's connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory ultimately leading to the process getting killed by the host's operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. It's recommend to update to v0.21.0 onwards to get some useful functionality that will help in production environments like better metrics around resource usage, Grafana dashboards around resource usage, allow list support, and default autoscaling limits.

For detailed information about this vulnerability, visit https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw.

Affected Packages

Path

Versions

Symbols
github.com/libp2p/go-libp2p

before v0.18.0
6 affected symbols
github.com/libp2p/go-libp2p/config

before v0.18.0
github.com/libp2p/go-libp2p/p2p/host/autonat

before v0.18.0
- New
github.com/libp2p/go-libp2p/p2p/host/basic

before v0.18.0
- NewHost
github.com/libp2p/go-libp2p/p2p/protocol/circuitv1/relay

before v0.18.0
- NewRelay
github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/client

before v0.18.0
- Client.Dial
github.com/libp2p/go-libp2p/p2p/protocol/circuitv2/relay

before v0.18.0
- New
- Relay.Close
github.com/libp2p/go-libp2p/p2p/protocol/holepunch

before v0.18.0
- Service.DirectConnect

Aliases

References

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL