Advisories for Golang/Github.com/Libp2p/Go-Libp2p package

2023

Uncontrolled Resource Consumption

libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring …

Allocation of Resources Without Limits or Throttling

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step. To prevent …

2022

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …

Uncontrolled Resource Consumption

go-libp2p is the offical libp2p implementation in the Go programming language. Version 0.18.0 and older of go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable …