high
7.5
CWE
400
Advisory Published
CVE Published
Updated

CVE-2023-40583: libp2p nodes vulnerable to OOM attack

First published: Thu Aug 24 2023(Updated: )

### Summary In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. It is feasible to do this at scale. An attacker would have to transfer ~1/2 as much memory it wants to occupy (2x amplification factor). The attacker can perform this attack over time as the target node’s memory will not be garbage collected. This can occur because when a signed peer record is received, only the signature validity check is performed but the sender signature is not checked. Signed peer records from randomly generated peers can be sent by a malicious actor. A target node will accept the peer record as long as the signature is valid, and then stored in the peer store. There is cleanup logic in the peer store that cleans up data when a peer disconnects, but this cleanup is never triggered for the fake peer (from which signed peer records were accepted) because it was never “connected”. ### Impact If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) ### Patches Update your go-libp2p dependency to the latest release, v0.30.0 at the time of writing. If you'd like to stay on the 0.27.x release, we strongly recommend users to update to go-libp2p [0.27.7](https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7). Though this OOM issue was fixed in 0.27.4, there were subsequent patch releases afterwards (important fixes for other issues unrelated to the OOM). ### Workarounds None

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/github.com/libp2p/go-libp2p<=0.27.3
0.27.4
Libp2p<0.27.4

Remedy

https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-40583?

    CVE-2023-40583 has been classified as a high severity vulnerability due to the potential for a malicious actor to exhaust system memory.

  • How do I fix CVE-2023-40583?

    To mitigate CVE-2023-40583, update the go-libp2p package to version 0.27.4 or later.

  • Which versions of go-libp2p are affected by CVE-2023-40583?

    CVE-2023-40583 affects versions of go-libp2p up to and including 0.27.3.

  • What kind of attacks can be executed using CVE-2023-40583?

    An attacker can leverage CVE-2023-40583 to store arbitrary data in a target node's memory, leading to exhaustion of memory resources.

  • Is the memory exhaustion caused by CVE-2023-40583 temporary or persistent?

    The memory exhaustion caused by CVE-2023-40583 is persistent as the data stored does not get garbage collected.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203