Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities found for libp2p by protocol
CVE-2026-35457 (GCVE-0-2026-35457)
Vulnerability from nvd – Published: 2026-04-07 14:22 – Updated: 2026-04-07 17:53
VLAI?
Title
libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
Severity ?
8.2 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T17:53:22.542830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:53:37.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:22:19.941Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"
}
],
"source": {
"advisory": "GHSA-v5hw-cv9c-rpg7",
"discovery": "UNKNOWN"
},
"title": "libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35457",
"datePublished": "2026-04-07T14:22:19.941Z",
"dateReserved": "2026-04-02T19:25:52.193Z",
"dateUpdated": "2026-04-07T17:53:37.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35405 (GCVE-0-2026-35405)
Vulnerability from nvd – Published: 2026-04-07 14:21 – Updated: 2026-04-09 17:44
VLAI?
Title
libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T17:44:02.373442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T17:44:08.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:21:15.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"source": {
"advisory": "GHSA-cqfx-gf56-8x59",
"discovery": "UNKNOWN"
},
"title": "libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35405",
"datePublished": "2026-04-07T14:21:15.377Z",
"dateReserved": "2026-04-02T17:03:42.075Z",
"dateUpdated": "2026-04-09T17:44:08.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33040 (GCVE-0-2026-33040)
Vulnerability from nvd – Published: 2026-03-20 05:46 – Updated: 2026-03-20 15:41
VLAI?
Title
libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
Severity ?
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.49.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:40:49.446258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:41:03.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.49.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T05:46:42.276Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"
}
],
"source": {
"advisory": "GHSA-gc42-3jg7-rxr2",
"discovery": "UNKNOWN"
},
"title": "libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33040",
"datePublished": "2026-03-20T05:46:42.276Z",
"dateReserved": "2026-03-17T18:10:50.210Z",
"dateUpdated": "2026-03-20T15:41:03.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40583 (GCVE-0-2023-40583)
Vulnerability from nvd – Published: 2023-08-25 20:25 – Updated: 2024-10-02 14:45
VLAI?
Title
libp2p nodes vulnerable to OOM attack
Summary
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:44:58.191460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T14:45:16.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-25T20:25:28.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
}
],
"source": {
"advisory": "GHSA-gcq9-qqwx-rgj3",
"discovery": "UNKNOWN"
},
"title": "libp2p nodes vulnerable to OOM attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40583",
"datePublished": "2023-08-25T20:25:28.297Z",
"dateReserved": "2023-08-16T18:24:02.391Z",
"dateUpdated": "2024-10-02T14:45:16.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23492 (GCVE-0-2022-23492)
Vulnerability from nvd – Published: 2022-12-08 00:08 – Updated: 2025-04-23 16:31
VLAI?
Title
go-libp2p denial of service vulnerability from lack of resource management
Summary
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
},
{
"name": "https://docs.libp2p.io/reference/dos-mitigation/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.libp2p.io/reference/dos-mitigation/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:12.746050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:24.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T00:08:11.210Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
},
{
"name": "https://docs.libp2p.io/reference/dos-mitigation/",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.libp2p.io/reference/dos-mitigation/"
}
],
"source": {
"advisory": "GHSA-j7qp-mfxf-8xjw",
"discovery": "UNKNOWN"
},
"title": "go-libp2p denial of service vulnerability from lack of resource management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23492",
"datePublished": "2022-12-08T00:08:11.210Z",
"dateReserved": "2022-01-19T21:23:53.765Z",
"dateUpdated": "2025-04-23T16:31:24.219Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23487 (GCVE-0-2022-23487)
Vulnerability from nvd – Published: 2022-12-07 20:05 – Updated: 2025-04-23 16:31
VLAI?
Title
libp2p denial of service vulnerability from lack of resource management
Summary
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.080Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:16.282030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:42.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T20:05:35.319Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
}
],
"source": {
"advisory": "GHSA-f44q-634c-jvwv",
"discovery": "UNKNOWN"
},
"title": "libp2p denial of service vulnerability from lack of resource management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23487",
"datePublished": "2022-12-07T20:05:35.319Z",
"dateReserved": "2022-01-19T21:23:53.762Z",
"dateUpdated": "2025-04-23T16:31:42.214Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23486 (GCVE-0-2022-23486)
Vulnerability from nvd – Published: 2022-12-07 20:03 – Updated: 2025-04-23 16:31
VLAI?
Title
libp2p-rust denial of service vulnerability from lack of resource management
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.45.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:19.966002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:48.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.45.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T20:03:35.212Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
}
],
"source": {
"advisory": "GHSA-jvgw-gccv-q5p8",
"discovery": "UNKNOWN"
},
"title": "libp2p-rust denial of service vulnerability from lack of resource management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23486",
"datePublished": "2022-12-07T20:03:35.212Z",
"dateReserved": "2022-01-19T21:23:53.761Z",
"dateUpdated": "2025-04-23T16:31:48.560Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-35457 (GCVE-0-2026-35457)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:22 – Updated: 2026-04-07 17:53
VLAI?
Title
libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
Severity ?
8.2 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T17:53:22.542830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:53:37.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:22:19.941Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"
}
],
"source": {
"advisory": "GHSA-v5hw-cv9c-rpg7",
"discovery": "UNKNOWN"
},
"title": "libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35457",
"datePublished": "2026-04-07T14:22:19.941Z",
"dateReserved": "2026-04-02T19:25:52.193Z",
"dateUpdated": "2026-04-07T17:53:37.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35405 (GCVE-0-2026-35405)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:21 – Updated: 2026-04-09 17:44
VLAI?
Title
libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T17:44:02.373442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T17:44:08.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:21:15.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"source": {
"advisory": "GHSA-cqfx-gf56-8x59",
"discovery": "UNKNOWN"
},
"title": "libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35405",
"datePublished": "2026-04-07T14:21:15.377Z",
"dateReserved": "2026-04-02T17:03:42.075Z",
"dateUpdated": "2026-04-09T17:44:08.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33040 (GCVE-0-2026-33040)
Vulnerability from cvelistv5 – Published: 2026-03-20 05:46 – Updated: 2026-03-20 15:41
VLAI?
Title
libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
Severity ?
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.49.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:40:49.446258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:41:03.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.49.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T05:46:42.276Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"
}
],
"source": {
"advisory": "GHSA-gc42-3jg7-rxr2",
"discovery": "UNKNOWN"
},
"title": "libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33040",
"datePublished": "2026-03-20T05:46:42.276Z",
"dateReserved": "2026-03-17T18:10:50.210Z",
"dateUpdated": "2026-03-20T15:41:03.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40583 (GCVE-0-2023-40583)
Vulnerability from cvelistv5 – Published: 2023-08-25 20:25 – Updated: 2024-10-02 14:45
VLAI?
Title
libp2p nodes vulnerable to OOM attack
Summary
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:50.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T14:44:58.191460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T14:45:16.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.27.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-25T20:25:28.297Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
},
{
"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
}
],
"source": {
"advisory": "GHSA-gcq9-qqwx-rgj3",
"discovery": "UNKNOWN"
},
"title": "libp2p nodes vulnerable to OOM attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40583",
"datePublished": "2023-08-25T20:25:28.297Z",
"dateReserved": "2023-08-16T18:24:02.391Z",
"dateUpdated": "2024-10-02T14:45:16.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23492 (GCVE-0-2022-23492)
Vulnerability from cvelistv5 – Published: 2022-12-08 00:08 – Updated: 2025-04-23 16:31
VLAI?
Title
go-libp2p denial of service vulnerability from lack of resource management
Summary
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
},
{
"name": "https://docs.libp2p.io/reference/dos-mitigation/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.libp2p.io/reference/dos-mitigation/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:12.746050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:24.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T00:08:11.210Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
},
{
"name": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
},
{
"name": "https://docs.libp2p.io/reference/dos-mitigation/",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.libp2p.io/reference/dos-mitigation/"
}
],
"source": {
"advisory": "GHSA-j7qp-mfxf-8xjw",
"discovery": "UNKNOWN"
},
"title": "go-libp2p denial of service vulnerability from lack of resource management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23492",
"datePublished": "2022-12-08T00:08:11.210Z",
"dateReserved": "2022-01-19T21:23:53.765Z",
"dateUpdated": "2025-04-23T16:31:24.219Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23487 (GCVE-0-2022-23487)
Vulnerability from cvelistv5 – Published: 2022-12-07 20:05 – Updated: 2025-04-23 16:31
VLAI?
Title
libp2p denial of service vulnerability from lack of resource management
Summary
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.080Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:16.282030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:42.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T20:05:35.319Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
}
],
"source": {
"advisory": "GHSA-f44q-634c-jvwv",
"discovery": "UNKNOWN"
},
"title": "libp2p denial of service vulnerability from lack of resource management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23487",
"datePublished": "2022-12-07T20:05:35.319Z",
"dateReserved": "2022-01-19T21:23:53.762Z",
"dateUpdated": "2025-04-23T16:31:42.214Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23486 (GCVE-0-2022-23486)
Vulnerability from cvelistv5 – Published: 2022-12-07 20:03 – Updated: 2025-04-23 16:31
VLAI?
Title
libp2p-rust denial of service vulnerability from lack of resource management
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.45.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:19.966002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:31:48.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.45.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-07T20:03:35.212Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
}
],
"source": {
"advisory": "GHSA-jvgw-gccv-q5p8",
"discovery": "UNKNOWN"
},
"title": "libp2p-rust denial of service vulnerability from lack of resource management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23486",
"datePublished": "2022-12-07T20:03:35.212Z",
"dateReserved": "2022-01-19T21:23:53.761Z",
"dateUpdated": "2025-04-23T16:31:48.560Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2023-40583
Vulnerability from fkie_nvd - Published: 2023-08-25 21:15 - Updated: 2024-11-21 08:19
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*",
"matchCriteriaId": "C5F4582C-9B6B-41FB-99E1-C3B2CB0E19AD",
"versionEndExcluding": "0.27.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."
},
{
"lang": "es",
"value": "libp2p es una pila de red y una biblioteca modularizada a partir del Proyecto IPFS, y empaquetada por separado para que otras herramientas puedan utilizarla. En go-libp2p, mediante el uso de registros de pares firmados, un actor malicioso puede almacenar una cantidad arbitraria de datos en la memoria de un nodo remoto. Esta memoria no se recoge de la basura, por lo que la v\u00edctima puede quedarse sin memoria y bloquearse. Si los usuarios de go-libp2p en producci\u00f3n no monitorizan el consumo de memoria a lo largo del tiempo, podr\u00eda tratarse de un ataque silencioso, es decir, el atacante podr\u00eda hacer caer nodos durante un periodo de tiempo (el tiempo depende de los recursos del nodo, es decir, un nodo go-libp2p en un servidor virtual con 4 gb de memoria tarda unos 90 segundos en caerse; en un servidor m\u00e1s grande, podr\u00eda tardar un poco m\u00e1s). Este problema fue corregido en la versi\u00f3n 0.27.4.\n"
}
],
"id": "CVE-2023-40583",
"lastModified": "2024-11-21T08:19:45.753",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-25T21:15:09.000",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23492
Vulnerability from fkie_nvd - Published: 2022-12-08 01:15 - Updated: 2024-11-21 06:48
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://docs.libp2p.io/reference/dos-mitigation/ | Vendor Advisory | |
| security-advisories@github.com | https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.libp2p.io/reference/dos-mitigation/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw | Mitigation, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*",
"matchCriteriaId": "DC28B9D1-484A-4395-BDF7-C238C07EB7C1",
"versionEndExcluding": "0.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks. "
},
{
"lang": "es",
"value": "go-libp2p es la implementaci\u00f3n oficial de libp2p en el lenguaje de programaci\u00f3n Go. La versi\u00f3n `0.18.0` y anteriores de go-libp2p son vulnerables a ataques de agotamiento de recursos dirigidos. Estos ataques tienen como objetivo la gesti\u00f3n de conexi\u00f3n, flujo, pares y memoria de libp2p. Un atacante puede provocar la asignaci\u00f3n de grandes cantidades de memoria, lo que en \u00faltima instancia lleva a que el sistema operativo del host elimine el proceso. Si bien un administrador de conexiones encargado de mantener la cantidad de conexiones dentro de los l\u00edmites manejables ha sido parte de go-libp2p, este componente fue dise\u00f1ado para manejar la rotaci\u00f3n regular de pares, no un ataque de agotamiento de recursos dirigido. Se recomienda a los usuarios que actualicen su versi\u00f3n de go-libp2p a la versi\u00f3n `0.18.1` o m\u00e1s reciente. Los usuarios que no puedan actualizar pueden consultar la p\u00e1gina de mitigaci\u00f3n de Denegaci\u00f3n de Servicio (DoS) (dos) para obtener m\u00e1s informaci\u00f3n sobre c\u00f3mo incorporar estrategias de mitigaci\u00f3n, monitorizar su aplicaci\u00f3n y responder a los ataques."
}
],
"id": "CVE-2022-23492",
"lastModified": "2024-11-21T06:48:40.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-08T01:15:09.697",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.libp2p.io/reference/dos-mitigation/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.libp2p.io/reference/dos-mitigation/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23487
Vulnerability from fkie_nvd - Published: 2022-12-07 21:15 - Updated: 2024-11-21 06:48
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv | Mitigation, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "D9B43BF1-12E0-47E9-A127-1049A567B939",
"versionEndExcluding": "0.38.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "js-libp2p es la implementaci\u00f3n oficial de JavaScript de la pila de redes libp2p. Las versiones anteriores a `v0.38.0` de js-libp2p son vulnerables a ataques de agotamiento de recursos dirigidos. Estos ataques tienen como objetivo la gesti\u00f3n de conexi\u00f3n, flujo, pares y memoria de libp2p. Un atacante puede provocar la asignaci\u00f3n de grandes cantidades de memoria, lo que en \u00faltima instancia lleva a que el sistema operativo del host elimine el proceso. Si bien un administrador de conexiones encargado de mantener la cantidad de conexiones dentro de los l\u00edmites manejables ha sido parte de js-libp2p, este componente fue dise\u00f1ado para manejar la rotaci\u00f3n regular de pares, no un ataque de agotamiento de recursos dirigido. Se recomienda a los usuarios que actualicen su dependencia js-libp2p a `v0.38.0` o superior. No se conocen workaround para esta vulnerabilidad."
}
],
"id": "CVE-2022-23487",
"lastModified": "2024-11-21T06:48:39.850",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-07T21:15:10.260",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-23486
Vulnerability from fkie_nvd - Published: 2022-12-07 21:15 - Updated: 2024-11-21 06:48
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "2245C53F-5AB7-4E50-8872-54C2CA002674",
"versionEndExcluding": "0.45.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/."
},
{
"lang": "es",
"value": "libp2p-rust es la implementaci\u00f3n oficial del lenguaje Rust de la pila de redes libp2p. En versiones anteriores a la 0.45.1, un nodo atacante puede hacer que un nodo v\u00edctima asigne una gran cantidad de peque\u00f1os fragmentos de memoria, lo que en \u00faltima instancia puede provocar que el proceso de la v\u00edctima se quede sin memoria y, por lo tanto, su sistema operativo lo elimine. Cuando se ejecuta continuamente, esto puede conducir a un ataque de Denegaci\u00f3n de Servicio (DoS), especialmente relevante a mayor escala cuando se ejecuta contra m\u00e1s de un nodo de una red basada en libp2p. Se recomienda a los usuarios actualizar a `libp2p` `v0.45.1` o superior. Los usuarios que no puedan actualizar deben consultar la p\u00e1gina de Mitigaci\u00f3n de DoS para obtener m\u00e1s informaci\u00f3n sobre c\u00f3mo incorporar estrategias de mitigaci\u00f3n, monitorizar su aplicaci\u00f3n y responder a los ataques: https://docs.libp2p.io/reference/dos-mitigation/."
}
],
"id": "CVE-2022-23486",
"lastModified": "2024-11-21T06:48:39.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-07T21:15:10.183",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}