Description
Versions older than v0.38.0 of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system.
Recommendation
Update the libp2p package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.38.0
- Patched version(s): 0.38.0
References
Related Issues
- Denial of Service (DoS) vulnerability in RSSHub - CVE-2022-31110
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) - CVE-2022-36083
- JOSE vulnerable to resource exhaustion via specifically crafted JWE - CVE-2022-36083
- Tags:
- npm
- libp2p
Anything's wrong? Let us know Last updated on July 14, 2023