{"id":"CVE-2023-39533","summary":"libp2p nodes vulnerable to attack using large RSA keys","details":"go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step. To prevent this attack, go-libp2p versions 0.27.8, 0.28.2, and 0.29.1 restrict RSA keys to \u003c= 8192 bits. To protect one's application, it is necessary to update to these patch releases and to use the updated Go compiler in 1.20.7 or 1.19.12. There are no known workarounds for this issue.","aliases":["GHSA-876p-8259-xjgg","GO-2023-2000"],"modified":"2026-04-10T04:59:29.834983Z","published":"2023-08-08T18:50:05.418Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39533.json","cwe_ids":["CWE-770"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39533.json"},{"type":"ADVISORY","url":"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39533"},{"type":"REPORT","url":"https://github.com/golang/go/issues/61460"},{"type":"FIX","url":"https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017"},{"type":"FIX","url":"https://github.com/libp2p/go-libp2p/commit/0cce607219f3710addc7e18672cffd1f1d912fbb"},{"type":"FIX","url":"https://github.com/libp2p/go-libp2p/commit/445be526aea4ee0b1fa5388aa65d32b2816d3a00"},{"type":"FIX","url":"https://github.com/libp2p/go-libp2p/commit/e30fcf7dfd4715ed89a5e68d7a4f774d3b9aa92d"},{"type":"FIX","url":"https://github.com/libp2p/go-libp2p/pull/2454"},{"type":"FIX","url":"https://github.com/quic-go/quic-go/pull/4012"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang/go","events":[{"introduced":"0"},{"fixed":"2350afd2e8ab054390e284c95d5b089c142db017"}]}],"versions":["go1.10beta1","go1.10beta2","go1.10rc1","go1.10rc2","go1.11beta1","go1.11beta2","go1.11beta3","go1.12beta1","go1.12beta2","go1.13beta1","go1.14beta1","go1.15beta1","go1.16beta1","go1.17beta1","go1.18beta1","go1.18beta2","go1.19beta1","go1.3beta1","go1.3beta2","go1.4beta1","go1.5beta1","go1.5beta2","go1.5beta3","go1.6beta1","go1.6beta2","go1.7beta1","go1.7beta2","go1.7rc1","go1.7rc2","go1.7rc3","go1.7rc4","go1.8beta1","go1.8beta2","go1.9beta1","go1.9beta2","release.r56","weekly","weekly.2009-11-06","weekly.2009-11-10","weekly.2009-11-10.1","weekly.2009-11-12","weekly.2009-11-17","weekly.2009-12-07","weekly.2009-12-09","weekly.2009-12-22","weekly.2010-01-05","weekly.2010-01-13","weekly.2010-01-27","weekly.2010-02-04","weekly.2010-02-17","weekly.2010-02-23","weekly.2010-03-04","weekly.2010-03-15","weekly.2010-03-22","weekly.2010-03-30","weekly.2010-04-13","weekly.2010-04-27","weekly.2010-05-04","weekly.2010-05-27","weekly.2010-06-09","weekly.2010-06-21","weekly.2010-07-01","weekly.2010-07-14","weekly.2010-07-29","weekly.2010-08-04","weekly.2010-08-11","weekly.2010-08-25","weekly.2010-09-06","weekly.2010-09-15","weekly.2010-09-22","weekly.2010-09-29","weekly.2010-10-13","weekly.2010-10-13.1","weekly.2010-10-20","weekly.2010-10-27","weekly.2010-11-02","weekly.2010-11-10","weekly.2010-11-23","weekly.2010-12-02","weekly.2010-12-08","weekly.2010-12-15","weekly.2010-12-15.1","weekly.2010-12-22","weekly.2011-01-06","weekly.2011-01-12","weekly.2011-01-19","weekly.2011-01-20","weekly.2011-02-01","weekly.2011-02-01.1","weekly.2011-02-15","weekly.2011-02-24","weekly.2011-03-07","weekly.2011-03-07.1","weekly.2011-03-15","weekly.2011-03-28","weekly.2011-04-04","weekly.2011-04-13","weekly.2011-04-27","weekly.2011-05-22","weekly.2011-06-02","weekly.2011-06-09","weekly.2011-06-16","weekly.2011-06-23","weekly.2011-07-07","weekly.2011-07-19","weekly.2011-07-29","weekly.2011-08-10","weekly.2011-08-17","weekly.2011-09-01","weekly.2011-09-07","weekly.2011-09-16","weekly.2011-09-21","weekly.2011-10-06","weekly.2011-10-18","weekly.2011-10-25","weekly.2011-10-26","weekly.2011-11-01","weekly.2011-11-02","weekly.2011-11-08","weekly.2011-11-09","weekly.2011-11-18","weekly.2011-12-01","weekly.2011-12-02","weekly.2011-12-06","weekly.2011-12-14","weekly.2011-12-22","weekly.2012-01-15","weekly.2012-01-20","weekly.2012-01-27","weekly.2012-02-07","weekly.2012-02-14","weekly.2012-02-22","weekly.2012-03-04","weekly.2012-03-13","weekly.2012-03-22","weekly.2012-03-27"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39533.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/libp2p/go-libp2p","events":[{"introduced":"0"},{"fixed":"8506ab233441d434bb777615fffefab64b06f335"},{"last_affected":"636a0966a69a90d54128288465fb48c148741399"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.27.8"},{"last_affected":"= 0.29.0"}]}},{"type":"GIT","repo":"https://github.com/libp2p/go-libp2p","events":[{"introduced":"703c3a4377d1ca2cf3fc93c92c883be1644f3ba6"},{"fixed":"256b838b551a74e682e7fd2c5ac2022d09c78b94"}],"database_specific":{"versions":[{"introduced":"0.28.0"},{"fixed":"0.28.2"}]}}],"versions":["gx/v1.0.0","gx/v2.0.1","gx/v2.0.3","gx/v3.2.0","gx/v3.2.3","gx/v3.3.1","gx/v3.3.2","gx/v3.3.4","gx/v3.3.7","gx/v3.4.0","gx/v3.4.1","gx/v3.5.0","gx/v3.5.1","gx/v3.5.2","gx/v3.5.3","gx/v3.5.4","gx/v3.6.0","gx/v4.0.0","gx/v4.0.2","gx/v4.0.3","gx/v4.0.4","gx/v4.1.0","gx/v4.2.0","gx/v4.3.1","gx/v4.3.10","gx/v4.3.11","gx/v4.3.12","gx/v4.3.2","gx/v4.3.3","gx/v4.3.4","gx/v4.3.5","gx/v4.3.6","gx/v4.3.7","gx/v4.3.8","gx/v4.3.9","gx/v4.4.0","gx/v4.4.1","gx/v4.4.3","gx/v4.4.4","gx/v4.5.0","gx/v4.5.1","gx/v4.5.4","gx/v5.0.1","gx/v5.0.10","gx/v5.0.11","gx/v5.0.12","gx/v5.0.13","gx/v5.0.14","gx/v5.0.16","gx/v5.0.17","gx/v5.0.2","gx/v5.0.3","gx/v5.0.6","gx/v5.0.8","gx/v5.0.9","gx/v6.0.1","gx/v6.0.10","gx/v6.0.11","gx/v6.0.12","gx/v6.0.13","gx/v6.0.14","gx/v6.0.15","gx/v6.0.16","gx/v6.0.17","gx/v6.0.18","gx/v6.0.19","gx/v6.0.2","gx/v6.0.20","gx/v6.0.21","gx/v6.0.22","gx/v6.0.23","gx/v6.0.29","gx/v6.0.3","gx/v6.0.4","gx/v6.0.5","gx/v6.0.6","gx/v6.0.7","gx/v6.0.8","gx/v6.0.9","v0.0.10","v0.0.11","v0.0.12","v0.0.13","v0.0.14","v0.0.15","v0.0.16","v0.0.17","v0.0.18","v0.0.19","v0.0.2","v0.0.20","v0.0.21","v0.0.22","v0.0.23","v0.0.24","v0.0.25","v0.0.26","v0.0.27","v0.0.28","v0.0.29","v0.0.3","v0.0.30","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v0.1.2","v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.14.1","v0.14.2","v0.14.3","v0.14.4","v0.15.0-rc.1","v0.16.0","v0.16.0-dev","v0.17.0","v0.18.0","v0.18.0-rc1","v0.18.0-rc2","v0.18.0-rc3","v0.18.0-rc4","v0.18.0-rc5","v0.18.0-rc6","v0.19.0","v0.2.0","v0.2.1","v0.20.0","v0.21.0","v0.21.0-rc","v0.22.0","v0.23.0","v0.23.1","v0.23.2","v0.24.0","v0.24.0-dev","v0.24.1","v0.24.2","v0.25.0","v0.25.1","v0.26.0","v0.26.1","v0.27.0","v0.27.1","v0.27.2","v0.27.3","v0.27.4","v0.27.5","v0.27.6","v0.27.7","v0.28.0","v0.28.1","v0.29.0","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.5","v0.9.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39533.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}