Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNDRxLTYzNGMtanZ3ds4AAwM5

libp2p DoS vulnerability from lack of resource management

Impact

Versions older than v0.38.0 of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.

Patches (What to do as a js-libp2p consumer:)

Update your js-libp2p dependency to v0.38.0 or greater.

Workarounds

There are no workarounds, and so we recommend to upgrade your js-libp2p version.
Some range of attacks can be mitigated using OS tools (like manually blocking malicious peers using iptables or ufw ) or making use of a load balancer in front of libp2p nodes.
You can also use the allow deny list in js-libp2p to deny specific peers.

However these require direct action & responsibility on your part and are no substitutes for upgrading js-libp2p. Therefore, we highly recommend upgrading your js-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about js-libp2p resource utilization.

References

Please see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and rust-libp2p: https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8

For more information

If you have any questions or comments about this advisory, please email us at [email protected].

Permalink: https://github.com/advisories/GHSA-f44q-634c-jvwv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNDRxLTYzNGMtanZ3ds4AAwM5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 9 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-f44q-634c-jvwv, CVE-2022-23487
References: Repository: https://github.com/libp2p/js-libp2p

Affected Packages

npm:libp2p
Dependent packages: 290
Dependent repositories: 3,195
Downloads: 95,847 last month
Affected Version Ranges: < 0.38.0
Fixed in: 0.38.0
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.2, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.3, 0.15.0, 0.15.1, 0.15.2, 0.16.4, 0.16.5, 0.17.0, 0.18.0, 0.19.0, 0.19.2, 0.20.0, 0.20.1, 0.20.2, 0.20.4, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.26.0, 0.26.1, 0.26.2, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.27.6, 0.27.7, 0.27.8, 0.27.9, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.28.5, 0.28.6, 0.28.7, 0.28.8, 0.28.9, 0.28.10, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.29.4, 0.30.0, 0.30.1, 0.30.2, 0.30.3, 0.30.4, 0.30.5, 0.30.6, 0.30.7, 0.30.8, 0.30.9, 0.30.10, 0.30.11, 0.30.12, 0.30.13, 0.31.0, 0.31.1, 0.31.2, 0.31.3, 0.31.4, 0.31.5, 0.31.6, 0.31.7, 0.31.8, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.32.4, 0.32.5, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.35.2, 0.35.3, 0.35.4, 0.35.5, 0.35.6, 0.35.7, 0.35.8, 0.36.0, 0.36.1, 0.36.2, 0.37.0, 0.37.1, 0.37.2, 0.37.3
All unaffected versions: 0.38.0, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.39.5, 0.40.0, 0.41.0, 0.42.0, 0.42.2, 0.43.0, 0.43.1, 0.43.2, 0.43.3, 0.43.4, 0.44.0, 0.45.0, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.45.8, 0.45.9, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.46.5, 0.46.6, 0.46.7, 0.46.8, 0.46.9, 0.46.10, 0.46.11, 0.46.12, 0.46.13, 0.46.14, 0.46.15, 0.46.16, 0.46.17, 0.46.18, 0.46.19, 0.46.20, 0.46.21, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0