Vulnerability Report: GO-2023-2024
- CVE-2023-40583, GHSA-gcq9-qqwx-rgj3
- Affects: github.com/libp2p/go-libp2p
- Published: Sep 13, 2023
- Modified: May 20, 2024
A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).
For detailed information about this vulnerability, visit https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3.
Affected Packages
-
PathGo VersionsSymbols
-
before v0.27.4
-
before v0.27.4
4 unexported affected symbols
- idService.IdentifyConn
- idService.IdentifyWait
- idService.consumeMessage
- netNotifiee.Connected
Aliases
References
- https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3
- https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd
- https://vuln.go.dev/ID/GO-2023-2024.json
Credits
- Marten Seemann
Feedback
See anything missing or incorrect?
Suggest an edit to this report.