Description

go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.

Severity

 

CVSS Version 3.x CVSS Version 2.0

CVSS 3.x Severity and Metrics:

CNA:  GitHub, Inc.

Base Score:  7.5 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: The NVD and the CNA have provided the same score. When this occurs only the CNA information is displayed, but the Acceptance Level icon for the CNA is given a checkmark to signify NVD concurrence.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base Score: N/A

NVD score not yet provided.

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://docs.libp2p.io/reference/dos-mitigation/	Vendor Advisory
https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de	Patch  Third Party Advisory
https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw	Mitigation  Third Party Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-400	Uncontrolled Resource Consumption	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

1 change records found show changes

Initial Analysis by NIST 12/09/2022 10:04:08 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:* versions up to (excluding) 0.18.0
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Changed	Reference Type	https://docs.libp2p.io/reference/dos-mitigation/ No Types Assigned	https://docs.libp2p.io/reference/dos-mitigation/ Vendor Advisory
Changed	Reference Type	https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de No Types Assigned	https://github.com/libp2p/go-libp2p/commit/15d7dfbf54264ead8e6f49ca658d79c90635e2de Patch, Third Party Advisory
Changed	Reference Type	https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw No Types Assigned	https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw Mitigation, Third Party Advisory