Description
@chainsafe/libp2p-noise before 4.1.2 and 5.0.3 was not correctly validating signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned.
Recommendation
Update the @chainsafe/libp2p-noise package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.0.3 < 4.1.2** Patched version(s): **5.0.3 4.1.2**
References
Related Issues
- Improper Verification of Cryptographic Signature in `node-forge` (GHSA-2r2c-g63r-vccr) - CVE-2022-24773
- secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery - CVE-2022-41340
- JWS and JWT signature validation vulnerability with special characters - CVE-2022-25898
- Svelte vulnerable to XSS when using objects during server-side rendering - CVE-2022-25875
- Tags:
- npm
- @chainsafe/libp2p-noise
Anything's wrong? Let us know Last updated on January 27, 2023