{"id":"CVE-2023-40583","summary":"libp2p nodes vulnerable to OOM attack","details":"libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.","aliases":["GHSA-gcq9-qqwx-rgj3","GO-2023-2024"],"modified":"2026-04-10T05:00:53.476821Z","published":"2023-08-25T20:25:28.297Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40583.json","cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"},{"type":"WEB","url":"https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40583.json"},{"type":"ADVISORY","url":"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40583"},{"type":"FIX","url":"https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libp2p/go-libp2p","events":[{"introduced":"0"},{"fixed":"fc89448282cf623011805ed35fd27ee392b2f019"}]}],"versions":["gx/v1.0.0","gx/v2.0.1","gx/v2.0.3","gx/v3.2.0","gx/v3.2.3","gx/v3.3.1","gx/v3.3.2","gx/v3.3.4","gx/v3.3.7","gx/v3.4.0","gx/v3.4.1","gx/v3.5.0","gx/v3.5.1","gx/v3.5.2","gx/v3.5.3","gx/v3.5.4","gx/v3.6.0","gx/v4.0.0","gx/v4.0.2","gx/v4.0.3","gx/v4.0.4","gx/v4.1.0","gx/v4.2.0","gx/v4.3.1","gx/v4.3.10","gx/v4.3.11","gx/v4.3.12","gx/v4.3.2","gx/v4.3.3","gx/v4.3.4","gx/v4.3.5","gx/v4.3.6","gx/v4.3.7","gx/v4.3.8","gx/v4.3.9","gx/v4.4.0","gx/v4.4.1","gx/v4.4.3","gx/v4.4.4","gx/v4.5.0","gx/v4.5.1","gx/v4.5.4","gx/v5.0.1","gx/v5.0.10","gx/v5.0.11","gx/v5.0.12","gx/v5.0.13","gx/v5.0.14","gx/v5.0.16","gx/v5.0.17","gx/v5.0.2","gx/v5.0.3","gx/v5.0.6","gx/v5.0.8","gx/v5.0.9","gx/v6.0.1","gx/v6.0.10","gx/v6.0.11","gx/v6.0.12","gx/v6.0.13","gx/v6.0.14","gx/v6.0.15","gx/v6.0.16","gx/v6.0.17","gx/v6.0.18","gx/v6.0.19","gx/v6.0.2","gx/v6.0.20","gx/v6.0.21","gx/v6.0.22","gx/v6.0.23","gx/v6.0.29","gx/v6.0.3","gx/v6.0.4","gx/v6.0.5","gx/v6.0.6","gx/v6.0.7","gx/v6.0.8","gx/v6.0.9","v0.0.10","v0.0.11","v0.0.12","v0.0.13","v0.0.14","v0.0.15","v0.0.16","v0.0.17","v0.0.18","v0.0.19","v0.0.2","v0.0.20","v0.0.21","v0.0.22","v0.0.23","v0.0.24","v0.0.25","v0.0.26","v0.0.27","v0.0.28","v0.0.29","v0.0.3","v0.0.30","v0.0.4","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v0.1.0","v0.1.1","v0.1.2","v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.14.1","v0.14.2","v0.14.3","v0.14.4","v0.15.0-rc.1","v0.16.0","v0.16.0-dev","v0.17.0","v0.18.0","v0.18.0-rc1","v0.18.0-rc2","v0.18.0-rc3","v0.18.0-rc4","v0.18.0-rc5","v0.18.0-rc6","v0.19.0","v0.2.0","v0.2.1","v0.20.0","v0.21.0","v0.21.0-rc","v0.22.0","v0.23.0","v0.23.1","v0.23.2","v0.24.0","v0.24.0-dev","v0.24.1","v0.24.2","v0.25.0","v0.25.1","v0.26.0","v0.26.1","v0.27.0","v0.27.1","v0.27.2","v0.27.3","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.5","v0.9.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40583.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/libp2p/js-libp2p","events":[{"introduced":"0"},{"fixed":"da83721d6d5ba1aad0eed5aff32b20696467746b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.27.4"}]}}],"versions":["v0.0.1","v0.1.0","v0.1.1","v0.10.0","v0.10.1","v0.10.2","v0.11.0","v0.12.0","v0.12.2","v0.12.3","v0.12.4","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.14.0","v0.14.1","v0.14.2","v0.14.3","v0.15.0","v0.15.1","v0.15.2","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.16.5","v0.17.0","v0.18.0","v0.19.0","v0.19.2","v0.2.0","v0.2.1","v0.20.0","v0.20.1","v0.20.2","v0.20.4","v0.21.0","v0.22.0","v0.23.0","v0.23.1","v0.24.0","v0.24.0-rc.3","v0.24.1","v0.24.2","v0.24.3","v0.24.4","v0.25.0","v0.25.0-rc.0","v0.25.0-rc.1","v0.25.0-rc.2","v0.25.0-rc.3","v0.25.0-rc.4","v0.25.0-rc.5","v0.25.0-rc.6","v0.25.1","v0.25.2","v0.25.3","v0.25.4","v0.25.5","v0.26.0","v0.26.0-rc.0","v0.26.0-rc.1","v0.26.0-rc.2","v0.26.0-rc.3","v0.26.1","v0.26.2","v0.27.0","v0.27.1","v0.27.2","v0.27.3","v0.3.0","v0.3.1","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.6.0","v0.6.1","v0.6.2","v0.7.0","v0.8.0","v0.9.0","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40583.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}