high
7.5
CWE
770
Advisory Published
Advisory Published
Updated

CVE-2023-39533: libp2p nodes vulnerable to attack using large RSA keys

First published: Tue Aug 08 2023(Updated: )

### Impact A malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step. To prevent this attack, go-libp2p now restricts RSA keys to <= 8192 bits. ### Patches Users should upgrade their go-libp2p versions to >=v0.27.8, >= v0.28.2, or >=v0.29.1 To protect your application, it's necessary to update to these patch releases **AND** to use the updated Go compiler (1.20.7 or 1.19.12, respectively) ### Workarounds There are no known workarounds ### References The Golang crypto/tls package also had this vulnerability ("verifying certificate chains containing large RSA keys is slow” https://github.com/golang/go/issues/61460) Fix in golang/go crypto/tls: https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017 Fix in quic-go https://github.com/quic-go/quic-go/pull/4012

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Golang Go<1.19.12
Golang Go>=1.20.0<1.20.7
Libp2p Go-libp2p<0.27.8
Libp2p Go-libp2p>=0.28.0<0.28.2
Libp2p Go-libp2p=0.29.0
Quic Project Quic<0.37.2
IBM Planning Analytics on Cloud Pak for Data<=4.0

Remedy

https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017

Remedy

https://github.com/libp2p/go-libp2p/commit/0cce607219f3710addc7e18672cffd1f1d912fbb

Remedy

https://github.com/libp2p/go-libp2p/commit/445be526aea4ee0b1fa5388aa65d32b2816d3a00

Remedy

https://github.com/libp2p/go-libp2p/commit/e30fcf7dfd4715ed89a5e68d7a4f774d3b9aa92d

Remedy

https://github.com/libp2p/go-libp2p/pull/2454

Remedy

https://github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg

Remedy

https://github.com/quic-go/quic-go/pull/4012

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2023-39533?

    CVE-2023-39533 is a vulnerability in the go-libp2p Networking Stack that allows a malicious peer to launch a resource exhaustion attack.

  • What is the impact of CVE-2023-39533?

    The impact of CVE-2023-39533 is that it can force a node to spend time doing signature verification of large RSA keys, leading to resource exhaustion.

  • Which software versions are affected by CVE-2023-39533?

    The affected software versions of CVE-2023-39533 are go-libp2p versions 0.27.8, 0.28.0 to 0.28.2, and 0.29.0.

  • How can I fix CVE-2023-39533?

    To fix CVE-2023-39533, update your go-libp2p package to version 0.29.1 or higher.

  • Where can I find more information about CVE-2023-39533?

    You can find more information about CVE-2023-39533 in the references provided: [GitHub Commit #1](https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017), [GitHub Issue](https://github.com/golang/go/issues/61460), [GitHub Commit #2](https://github.com/libp2p/go-libp2p/commit/0cce607219f3710addc7e18672cffd1f1d912fbb).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203