{"id":"CVE-2022-23487","summary":"libp2p denial of service vulnerability from lack of resource management","details":"js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.","aliases":["GHSA-f44q-634c-jvwv"],"modified":"2026-03-14T00:45:49.789637Z","published":"2022-12-07T20:05:35.319Z","database_specific":{"cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23487.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23487.json"},{"type":"ADVISORY","url":"https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23487"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libp2p/js-libp2p","events":[{"introduced":"0"},{"fixed":"29c803a63e5aacda1e5b87527b15bf27b31ea5a6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.38.0"}]}}],"versions":["v0.0.1","v0.1.0","v0.1.1","v0.10.0","v0.10.1","v0.10.2","v0.11.0","v0.12.0","v0.12.2","v0.12.3","v0.12.4","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.14.0","v0.14.1","v0.14.2","v0.14.3","v0.15.0","v0.15.1","v0.15.2","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.16.5","v0.17.0","v0.18.0","v0.19.0","v0.19.2","v0.2.0","v0.2.1","v0.20.0","v0.20.1","v0.20.2","v0.20.4","v0.21.0","v0.22.0","v0.23.0","v0.23.1","v0.24.0","v0.24.0-rc.3","v0.24.1","v0.24.2","v0.24.3","v0.24.4","v0.25.0","v0.25.0-rc.0","v0.25.0-rc.1","v0.25.0-rc.2","v0.25.0-rc.3","v0.25.0-rc.4","v0.25.0-rc.5","v0.25.0-rc.6","v0.25.1","v0.25.2","v0.25.3","v0.25.4","v0.25.5","v0.26.0","v0.26.0-rc.0","v0.26.0-rc.1","v0.26.0-rc.2","v0.26.0-rc.3","v0.26.1","v0.26.2","v0.27.0","v0.27.1","v0.27.2","v0.27.3","v0.27.4","v0.27.5","v0.27.6","v0.27.7","v0.27.8","v0.28.0","v0.28.0-rc.0","v0.28.1","v0.28.10","v0.28.2","v0.28.3","v0.28.4","v0.28.5","v0.28.6","v0.28.7","v0.28.8","v0.28.9","v0.29.0","v0.29.1","v0.29.2","v0.29.3","v0.29.4","v0.3.0","v0.3.1","v0.30.0","v0.30.1","v0.30.10","v0.30.11","v0.30.12","v0.30.2","v0.30.3","v0.30.4","v0.30.5","v0.30.6","v0.30.7","v0.30.8","v0.30.9","v0.31.0","v0.31.0-rc.0","v0.31.0-rc.1","v0.31.0-rc.2","v0.31.0-rc.3","v0.31.0-rc.4","v0.31.0-rc.5","v0.31.0-rc.6","v0.31.0-rc.7","v0.31.1","v0.31.2","v0.31.3","v0.31.4","v0.31.5","v0.31.6","v0.31.7","v0.32.0","v0.32.0-rc.0","v0.32.1","v0.32.2","v0.32.3","v0.32.4","v0.32.5","v0.33.0","v0.34.0","v0.35.0","v0.35.1","v0.35.2","v0.35.3","v0.35.4","v0.35.5","v0.35.6","v0.35.7","v0.35.8","v0.36.0","v0.36.1","v0.36.2","v0.37.0","v0.37.1","v0.37.2","v0.37.3","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.8.0","v0.9.0","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23487.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/libp2p/rust-libp2p","events":[{"introduced":"0"},{"fixed":"0b7ee3fa924e97e75b12b07e4ccb5ca8f5efc44c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.38.0"}]}}],"versions":["0.13.2","libp2p-core-0.19.2","libp2p-core-0.20.0","libp2p-core-0.20.1","libp2p-core-0.21.0","libp2p-core-0.22.0","libp2p-core-0.22.1","libp2p-core-0.23.0","libp2p-core-0.23.1","libp2p-core-0.24.0","libp2p-core-0.25.0","libp2p-core-0.25.1","libp2p-core-0.25.2","libp2p-core-0.26.0","libp2p-core-0.27.0","libp2p-core-0.27.1","libp2p-core-0.28.0","libp2p-core-0.28.1","libp2p-core-0.28.2","libp2p-core-0.28.3","libp2p-core-derive-0.20.0","libp2p-core-derive-0.20.1","libp2p-core-derive-0.20.2","libp2p-core-derive-0.21.0","libp2p-deflate-0.19.2","libp2p-deflate-0.20.0","libp2p-deflate-0.21.0","libp2p-deflate-0.22.0","libp2p-deflate-0.23.0","libp2p-deflate-0.24.0","libp2p-deflate-0.25.0","libp2p-deflate-0.26.0","libp2p-deflate-0.27.0","libp2p-deflate-0.27.1","libp2p-deflate-0.28.0","libp2p-dns-0.20.0","libp2p-dns-0.21.0","libp2p-dns-0.22.0","libp2p-dns-0.23.0","libp2p-dns-0.24.0","libp2p-dns-0.25.0","libp2p-dns-0.26.0","libp2p-dns-0.27.0","libp2p-dns-0.28.0","libp2p-dns-0.28.1","libp2p-floodsub-0.19.1","libp2p-floodsub-0.20.0","libp2p-floodsub-0.21.0","libp2p-floodsub-0.22.0","libp2p-floodsub-0.23.0","libp2p-floodsub-0.24.0","libp2p-floodsub-0.25.0","libp2p-floodsub-0.26.0","libp2p-floodsub-0.27.0","libp2p-floodsub-0.28.0","libp2p-floodsub-0.29.0","libp2p-gossipsub-0.19.2","libp2p-gossipsub-0.19.3","libp2p-gossipsub-0.20.0","libp2p-gossipsub-0.21.0","libp2p-gossipsub-0.22.0","libp2p-gossipsub-0.23.0","libp2p-gossipsub-0.24.0","libp2p-gossipsub-0.25.0","libp2p-gossipsub-0.26.0","libp2p-gossipsub-0.27.0","libp2p-gossipsub-0.28.0","libp2p-gossipsub-0.29.0","libp2p-gossipsub-0.30.0","libp2p-gossipsub-0.30.1","libp2p-identify-0.19.2","libp2p-identify-0.20.0","libp2p-identify-0.21.0","libp2p-identify-0.22.0","libp2p-identify-0.23.0","libp2p-identify-0.24.0","libp2p-identify-0.25.0","libp2p-identify-0.26.0","libp2p-identify-0.27.0","libp2p-identify-0.28.0","libp2p-identify-0.29.0","libp2p-kad-0.20.0","libp2p-kad-0.20.1","libp2p-kad-0.21.0","libp2p-kad-0.22.0","libp2p-kad-0.22.1","libp2p-kad-0.23.0","libp2p-kad-0.24.0","libp2p-kad-0.25.0","libp2p-kad-0.26.0","libp2p-kad-0.27.0","libp2p-kad-0.28.0","libp2p-kad-0.28.1","libp2p-kad-0.29.0","libp2p-kad-0.30.0","libp2p-kad-v0.27.1","libp2p-mdns-0.19.2","libp2p-mdns-0.20.0","libp2p-mdns-0.21.0","libp2p-mdns-0.22.0","libp2p-mdns-0.23.0","libp2p-mdns-0.24.0","libp2p-mdns-0.25.0","libp2p-mdns-0.26.0","libp2p-mdns-0.27.0","libp2p-mdns-0.28.0","libp2p-mdns-0.28.1","libp2p-mdns-0.29.0","libp2p-mdns-0.30.0","libp2p-mdns-0.30.1","libp2p-mdns-0.30.2","libp2p-mplex-0.19.2","libp2p-mplex-0.20.0","libp2p-mplex-0.21.0","libp2p-mplex-0.22.0","libp2p-mplex-0.23.0","libp2p-mplex-0.23.1","libp2p-mplex-0.24.0","libp2p-mplex-0.25.0","libp2p-mplex-0.26.0","libp2p-mplex-0.27.0","libp2p-mplex-0.27.1","libp2p-mplex-0.28.0","libp2p-noise-0.19.1","libp2p-noise-0.20.0","libp2p-noise-0.21.0","libp2p-noise-0.22.0","libp2p-noise-0.23.0","libp2p-noise-0.24.0","libp2p-noise-0.25.0","libp2p-noise-0.26.0","libp2p-noise-0.27.0","libp2p-noise-0.28.0","libp2p-noise-0.29.0","libp2p-noise-0.30.0","libp2p-ping-0.19.3","libp2p-ping-0.20.0","libp2p-ping-0.21.0","libp2p-ping-0.22.0","libp2p-ping-0.23.0","libp2p-ping-0.24.0","libp2p-ping-0.25.0","libp2p-ping-0.26.0","libp2p-ping-0.27.0","libp2p-ping-0.28.0","libp2p-ping-0.29.0","libp2p-ping-v0.19.2","libp2p-plaintext-0.19.1","libp2p-plaintext-0.20.0","libp2p-plaintext-0.21.0","libp2p-plaintext-0.22.0","libp2p-plaintext-0.23.0","libp2p-plaintext-0.24.0","libp2p-plaintext-0.24.1","libp2p-plaintext-0.25.0","libp2p-plaintext-0.26.0","libp2p-plaintext-0.27.0","libp2p-plaintext-0.27.1","libp2p-plaintext-0.28.0","libp2p-pnet-0.19.1","libp2p-pnet-0.20.0","libp2p-pnet-0.29.2","libp2p-relay-0.1.0","libp2p-relay-0.2.0","libp2p-request-response-0.1.1","libp2p-request-response-0.10.0","libp2p-request-response-0.11.0","libp2p-request-response-0.2.0","libp2p-request-response-0.3.0","libp2p-request-response-0.4.0","libp2p-request-response-0.5.0","libp2p-request-response-0.6.0","libp2p-request-response-0.7.0","libp2p-request-response-0.8.0","libp2p-request-response-0.9.0","libp2p-request-response-0.9.1","libp2p-secio-0.19.2","libp2p-secio-0.20.0","libp2p-secio-0.21.0","libp2p-secio-0.22.0","libp2p-secio-0.23.0","libp2p-secio-0.24.0","libp2p-secio-0.25.0","libp2p-secio-0.26.0","libp2p-swarm-0.19.1","libp2p-swarm-0.20.0","libp2p-swarm-0.20.1","libp2p-swarm-0.21.0","libp2p-swarm-0.22.0","libp2p-swarm-0.23.0","libp2p-swarm-0.24.0","libp2p-swarm-0.25.0","libp2p-swarm-0.25.1","libp2p-swarm-0.26.0","libp2p-swarm-0.27.0","libp2p-swarm-0.27.1","libp2p-swarm-0.27.2","libp2p-swarm-0.28.0","libp2p-swarm-0.29.0","libp2p-swarm-derive-0.22.0","libp2p-swarm-derive-0.23.0","libp2p-tcp-0.19.2","libp2p-tcp-0.20.0","libp2p-tcp-0.21.0","libp2p-tcp-0.22.0","libp2p-tcp-0.23.0","libp2p-tcp-0.24.0","libp2p-tcp-0.25.0","libp2p-tcp-0.25.1","libp2p-tcp-0.26.0","libp2p-tcp-0.27.0","libp2p-tcp-0.27.1","libp2p-tcp-0.28.0","libp2p-uds-0.19.2","libp2p-uds-0.20.0","libp2p-uds-0.21.0","libp2p-uds-0.22.0","libp2p-uds-0.23.0","libp2p-uds-0.24.0","libp2p-uds-0.25.0","libp2p-uds-0.26.0","libp2p-uds-0.27.0","libp2p-uds-0.28.0","libp2p-wasm-ext-0.20.0","libp2p-wasm-ext-0.20.1","libp2p-wasm-ext-0.21.0","libp2p-wasm-ext-0.22.0","libp2p-wasm-ext-0.23.0","libp2p-wasm-ext-0.24.0","libp2p-wasm-ext-0.25.0","libp2p-wasm-ext-0.26.0","libp2p-wasm-ext-0.27.0","libp2p-wasm-ext-0.28.0","libp2p-wasm-ext-0.28.1","libp2p-wasm-ext-0.28.2","libp2p-websocket-0.20.0","libp2p-websocket-0.20.1","libp2p-websocket-0.21.0","libp2p-websocket-0.21.1","libp2p-websocket-0.22.0","libp2p-websocket-0.23.0","libp2p-websocket-0.24.0","libp2p-websocket-0.25.0","libp2p-websocket-0.26.0","libp2p-websocket-0.26.1","libp2p-websocket-0.26.2","libp2p-websocket-0.26.3","libp2p-websocket-0.27.0","libp2p-websocket-0.28.0","libp2p-websocket-0.29.0","libp2p-yamux-0.19.1","libp2p-yamux-0.20.0","libp2p-yamux-0.21.0","libp2p-yamux-0.22.0","libp2p-yamux-0.23.0","libp2p-yamux-0.24.0","libp2p-yamux-0.25.0","libp2p-yamux-0.26.0","libp2p-yamux-0.27.0","libp2p-yamux-0.28.0","libp2p-yamux-0.29.0","libp2p-yamux-0.30.0","libp2p-yamux-0.30.1","libp2p-yamux-0.31.0","libp2p-yamux-0.32.0","multistream-select-0.10.0","multistream-select-0.10.1","multistream-select-0.10.2","multistream-select-0.8.2","multistream-select-0.8.3","multistream-select-0.8.4","multistream-select-0.8.5","multistream-select-0.9.0","multistream-select-0.9.1","parity-multiaddr-0.10.0","parity-multiaddr-0.11.0","parity-multiaddr-0.11.1","parity-multiaddr-0.11.2","parity-multiaddr-0.9.1","parity-multiaddr-0.9.2","parity-multiaddr-0.9.3","parity-multiaddr-0.9.4","parity-multiaddr-0.9.5","parity-multiaddr-0.9.6","v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.13.1","v0.13.2","v0.14.0-alpha.1","v0.15.0","v0.16.0","v0.16.1","v0.16.2","v0.17.0","v0.18.0","v0.18.1","v0.19.0","v0.19.1","v0.2.0","v0.2.1","v0.2.2","v0.20.0","v0.20.1","v0.21.0","v0.21.1","v0.22.0","v0.23.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.28.1","v0.29.0","v0.29.1","v0.3.0","v0.3.1","v0.30.0","v0.30.1","v0.31.0","v0.31.1","v0.31.2","v0.32.0","v0.32.1","v0.32.2","v0.33.0","v0.34.0","v0.35","v0.35.1","v0.36.0","v0.37.0","v0.37.1","v0.4.0","v0.4.2","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.9.0","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}