CVE-2022-23487

Name of the Vulnerable Software and Affected Versions js-libp2p versions prior to v0.38.0

Description The issue concerns targeted resource exhaustion attacks that affect libp2p's connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, leading to the process being killed by the host's operating system. The connection manager in js-libp2p, designed to handle regular peer churn, is not equipped to handle such targeted attacks.

Recommendations For versions prior to v0.38.0, update the js-libp2p dependency to v0.38.0 or greater. As a temporary mitigation measure, consider using OS tools to block malicious peers or implementing a load balancer in front of libp2p nodes. Additionally, utilize the allow/deny list in js-libp2p to deny specific peers, but note that these measures are no substitute for upgrading js-libp2p.