RUSTSEC-2022-0084

libp2p Lack of resource management DoS

Reported

July 12, 2022

Issued

February 2, 2023

Package

libp2p (crates.io)

Type

Vulnerability

Categories

denial-of-service

Aliases

CVE-2022-23486
GHSA-jvgw-gccv-q5p8

References

https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.45.1

Description

libp2p allows a potential attacker to cause victim p2p node to run out of memory

The out of memory failure can cause crashes where libp2p is intended to be used within large scale networks leading to potential Denial of Service (DoS) vector

Users should upgrade or reference the DoS mitigation strategies.

Advisory available under CC0-1.0 license.