Vulnerability Details : CVE-2023-40583
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
Products affected by CVE-2023-40583
- cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-40583
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-40583
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-40583
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-40583
-
https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd
identify: reject signed peer records on peer ID mismatch · libp2p/go-libp2p@45d3c6f · GitHubPatch
-
https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4
Release v0.27.4 · libp2p/go-libp2p · GitHubRelease Notes
-
https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7
Release v0.27.7 · libp2p/go-libp2p · GitHubRelease Notes
-
https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3
libp2p nodes vulnerable to OOM attack · Advisory · libp2p/go-libp2p · GitHubVendor Advisory
Jump to