CVE-2022-23486: libp2p DoS vulnerability from lack of resource management
(updated )
An attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network.
References
- github.com/advisories/GHSA-jvgw-gccv-q5p8
- github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw
- github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv
- github.com/libp2p/rust-libp2p
- github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8
- nvd.nist.gov/vuln/detail/CVE-2022-23486
- rustsec.org/advisories/RUSTSEC-2022-0084.html
Detect and mitigate CVE-2022-23486 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →