7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-39533

GHSA ID

GHSA-876p-8259-xjgg

EPSS Score

0.30341%

CWE

CWE-770

Published

8/9/2023

Updated

11/10/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-39533

CVE-2023-39533: libp2p nodes vulnerable to attack using large RSA keys

Impact

A malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step. To prevent this attack, go-libp2p now restricts RSA keys to <= 8192 bits.

Patches

Users should upgrade their go-libp2p versions to >=v0.27.8, >= v0.28.2, or >=v0.29.1 To protect your application, it's necessary to update to these patch releases AND to use the updated Go compiler (1.20.7 or 1.19.12, respectively)

Workarounds

There are no known workarounds

References

The Golang crypto/tls package also had this vulnerability ("verifying certificate chains containing large RSA keys is slow” https://github.com/golang/go/issues/61460) Fix in golang/go crypto/tls: https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017 Fix in quic-go https://github.com/quic-go/quic-go/pull/4012

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-39533

CVE-2023-39533:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-39533

GHSA ID

GHSA-876p-8259-xjgg

EPSS Score

0.30341%

CWE

CWE-770

Published

8/9/2023

Updated

11/10/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/libp2p/go-libp2p	go	< 0.27.8	0.27.8
github.com/libp2p/go-libp2p	go	>= 0.28.0, < 0.28.2	0.28.2
github.com/libp2p/go-libp2p	go	= 0.29.0	0.29.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from processing RSA keys without size limits. The patches explicitly add checks in these three functions to restrict key sizes to <=8192 bits. These functions are directly involved in key generation and parsing during TLS/Noise handshakes. The commit diffs show these functions were modified to add size validation, confirming they were previously vulnerable entry points for large key attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-39533: libp2p nodes vulnerable to attack using large RSA keys

Impact

Patches

Workarounds

References

CVE-2023-39533:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.5

7.5

CVE-2023-39533: libp2p nodes vulnerable to attack using large RSA keys

Impact

Patches

Workarounds

References

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI