libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HProtocol Libp2p
APPProtocol< 0.27.4
Related vulnerabilities
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp...
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the ...
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of g...
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to ...
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` ...