GO-2023-2024
- Source
- https://pkg.go.dev/vuln/GO-2023-2024
- Import Source
- https://vuln.go.dev/ID/GO-2023-2024.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2023-2024
- Aliases
- Published
- 2023-09-13T16:37:01Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Out-of-memory vulnerability in github.com/libp2p/go-libp2p
- Details
-
A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).
- Database specific
{ "url": "https://pkg.go.dev/vuln/GO-2023-2024", "review_status": "REVIEWED" }- References
- Credits
-
-
- Marten Seemann
-
Affected packages
Go / github.com/libp2p/go-libp2p
Package
- Name
- github.com/libp2p/go-libp2p
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/libp2p/go-libp2p
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.27.4
Ecosystem specific
{
"imports": [
{
"symbols": [
"ConsumeEnvelope"
],
"path": "github.com/libp2p/go-libp2p/core/record"
},
{
"symbols": [
"idService.IdentifyConn",
"idService.IdentifyWait",
"idService.consumeMessage",
"netNotifiee.Connected"
],
"path": "github.com/libp2p/go-libp2p/p2p/protocol/identify"
}
]
}