CVE-2022-23487Uncontrolled Resource Consumption in Js-libp2p

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 43.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Libp2p Js-libp2pProtocol Libp2p
Timeline
PublishedDec 7

Description

js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limit

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDprotocol/libp2p< 0.38.0
npmprotocol/libp2p< 0.38.0
CVEListV5libp2p/js-libp2p< 0.38.0

🔴Vulnerability Details

2
GHSA
libp2p DoS vulnerability from lack of resource management2022-12-07
OSV
libp2p DoS vulnerability from lack of resource management2022-12-07
CVE-2022-23487 — Uncontrolled Resource Consumption | cvebase