7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23486

GHSA ID

GHSA-jvgw-gccv-q5p8

EPSS Score

0.21532%

CWE

CWE-400

Published

12/7/2022

Updated

7/14/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23486

CVE-2022-23486: libp2p DoS vulnerability from lack of resource management

Impact

An attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network.

Details

In the original version of the attack, the malicious node would continuously open new streams on a single connection using a stream multiplexer that doesn’t provide sufficient back pressure (mplex or yamux). While allocations per stream might be considered small, they multiply with the number of streams and connections. It is easy to defend against this one attack, e.g. by setting a strict per connection stream limit and connection limit. But there are other variations of this attack, e.g. causing memory allocations by sending partial payloads on various protocol levels, forcing the victim to buffer the partial payload for a period of time or by tricking the victim into pre-allocating buffers for messages which are never sent by the attacker.

Patches

Users are advised to upgrade to libp2p v0.45.1 or above.

References

Please see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.

Please see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv

For more information

If you have any questions or comments about this advisory, please email us at security@libp2p.io.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23486

CVE-2022-23486:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23486

GHSA ID

GHSA-jvgw-gccv-q5p8

EPSS Score

0.21532%

CWE

CWE-400

Published

12/7/2022

Updated

7/14/2023

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
libp2p	rust	<= 0.45.0	0.45.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability fundamentally stems from missing resource management in three key areas: 1) Stream multiplexers (mplex/yamux) didn't enforce per-connection stream limits 2) Connection management lacked proper resource caps 3) Protocol handlers allowed memory-intensive operations without throttling. While exact function names aren't specified in advisories, the architectural components and CWE mappings (CWE-400/770) clearly indicate these subsystems as vulnerable points. The high confidence comes from the explicit mention of stream multiplexers and connection management in vulnerability details, while protocol buffer handling is inferred from described attack variations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23486: libp2p DoS vulnerability from lack of resource management

Impact

Details

Patches

References

For more information

CVE-2022-23486:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2022-23486: libp2p DoS vulnerability from lack of resource management

Impact

Details

Patches

References

For more information

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI