CVE-2023-40583

Name of the Vulnerable Software and Affected Versions go-libp2p versions prior to 0.27.4 go-libp2p versions prior to 0.30.0

Description A malicious actor can store an arbitrary amount of data in a remote node's memory by sending the node a message with a signed peer record. This memory does not get garbage collected, and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack, where the attacker could bring down nodes over a period of time, depending on the node resources. For example, a go-libp2p node on a virtual server with 4 GB of memory can be brought down in about 90 seconds.

Recommendations For go-libp2p versions prior to 0.27.4, update to version 0.27.4 or later to resolve the issue. For users who want to stay on the 0.27.x release, update to go-libp2p version 0.27.7. For the latest release, update to go-libp2p version 0.30.0. As a temporary workaround, consider monitoring memory consumption closely to detect potential attacks.