Skip to main content

Uncontrolled Resource Consumption

CVE-2023-40583

Severity High
Score 7.5/10

Summary

The package libp2p is a networking stack and library modularized out of The IPFS Project and bundled separately for other tools to use. In go-libp2p in versions prior to 0.27.4, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.)

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-400 - Uncontrolled resource consumption

An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.

Advisory Timeline

  • Published