Vulnerability Report: GO-2023-2024

CVE-2023-40583, GHSA-gcq9-qqwx-rgj3
Affects: github.com/libp2p/go-libp2p
Published: Sep 13, 2023
Modified: Nov 17, 2023

A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).

For detailed information about this vulnerability, visit https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3.

Affected Packages

Path

Versions

Symbols
github.com/libp2p/go-libp2p/core/record

before v0.27.4
- ConsumeEnvelope
github.com/libp2p/go-libp2p/p2p/protocol/identify

before v0.27.4

all symbols

Aliases

CVE-2023-40583
GHSA-gcq9-qqwx-rgj3

References

https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3
https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd
https://vuln.go.dev/ID/GO-2023-2024.json

Credits

Marten Seemann

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL