Description
@chainsafe/libp2p-noise before 4.1.2 and 5.0.3 was not correctly validating signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned.
Recommendation
Update the @chainsafe/libp2p-noise package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.0.3 < 4.1.2** Patched version(s): **5.0.3 4.1.2**
References
Related Issues
- min-document vulnerable to prototype pollution - CVE-2025-57352
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
- GetmeUK ContentTools Cross-Site Scripting (XSS) - CVE-2025-2699
- node-gettext vulnerable to Prototype Pollution - CVE-2024-21528
- Tags:
- npm
- @chainsafe/libp2p-noise
Anything's wrong? Let us know Last updated on January 27, 2023