CVE-2023-39533

Name of the Vulnerable Software and Affected Versions go-libp2p versions prior to 0.27.8 go-libp2p versions prior to 0.28.2 go-libp2p versions prior to 0.29.1

Description A malicious peer can use large RSA keys to run a resource exhaustion attack and force a node to spend time doing signature verification of the large key. This issue is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step. To prevent this attack, go-libp2p now restricts RSA keys to <= 8192 bits.

Recommendations For go-libp2p versions prior to 0.27.8, update to version 0.27.8 or later and use the updated Go compiler in 1.20.7 or 1.19.12. For go-libp2p versions prior to 0.28.2, update to version 0.28.2 or later and use the updated Go compiler in 1.20.7 or 1.19.12. For go-libp2p versions prior to 0.29.1, update to version 0.29.1 or later and use the updated Go compiler in 1.20.7 or 1.19.12. As a temporary workaround is not available, updating to the specified patch releases is necessary to protect against this issue.