blob: 2a57d6c3bd6dffce5700e407bca7082eeca098ed [file] [log] [blame]
id: GO-2023-2024
modules:
- module: github.com/libp2p/go-libp2p
versions:
- fixed: 0.27.4
vulnerable_at: 0.27.3
packages:
- package: github.com/libp2p/go-libp2p/core/record
symbols:
- ConsumeEnvelope
- package: github.com/libp2p/go-libp2p/p2p/protocol/identify
symbols:
- idService.consumeMessage
derived_symbols:
- idService.IdentifyConn
- idService.IdentifyWait
- netNotifiee.Connected
summary: Out-of-memory vulnerability in github.com/libp2p/go-libp2p
description: |-
A malicious actor can store an arbitrary amount of data in the memory of a
remote node by sending the node a message with a signed peer record. Signed peer
records from randomly generated peers can be sent by a malicious actor. This
memory does not get garbage collected and so the remote node can run out of
memory (OOM).
cves:
- CVE-2023-40583
ghsas:
- GHSA-gcq9-qqwx-rgj3
credits:
- Marten Seemann
references:
- advisory: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3
- fix: https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd