{"id":"GO-2023-2024","summary":"Out-of-memory vulnerability in github.com/libp2p/go-libp2p","details":"A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).","aliases":["CVE-2023-40583","GHSA-gcq9-qqwx-rgj3"],"modified":"2024-05-20T16:03:47Z","published":"2023-09-13T16:37:01Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-2024","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"},{"type":"FIX","url":"https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}],"affected":[{"package":{"name":"github.com/libp2p/go-libp2p","ecosystem":"Go","purl":"pkg:golang/github.com/libp2p/go-libp2p"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.27.4"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/libp2p/go-libp2p/core/record","symbols":["ConsumeEnvelope"]},{"path":"github.com/libp2p/go-libp2p/p2p/protocol/identify","symbols":["idService.IdentifyConn","idService.IdentifyWait","idService.consumeMessage","netNotifiee.Connected"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2024.json"}}],"schema_version":"1.7.3","credits":[{"name":"Marten Seemann"}]}