-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| libp2p | pip | < 0.2.3 | 0.2.3 |
Miggo AIRoot Cause AnalysisThe vulnerability, identified as CVE-2025-29606, is a resource exhaustion Denial of Service in the py-libp2p library. The root cause is the lack of validation on the size of RSA keys being processed. An attacker could establish a connection with a peer and present a public key with an excessively large bit length (e.g., much larger than the standard 2048 or 4096 bits).
The py-libp2p node would attempt to process this key, primarily through the RSAPublicKey.from_bytes function, which deserializes the key material received over the network. Before the patch, this function and the class constructors (__init__) for both RSAPublicKey and RSAPrivateKey would accept any valid RSA key, regardless of its size. The subsequent cryptographic operations involving this key, such as instantiation and verification, would consume a disproportionate amount of CPU and memory, effectively stalling or crashing the service.
The patch addresses this by introducing a size limit (MAX_RSA_KEY_SIZE = 4096) and a validation function, validate_rsa_key_size. This validation is now performed whenever a key is created or deserialized, ensuring that oversized keys are rejected early, thus preventing the resource exhaustion attack. The key vulnerable functions are those that handle the creation and deserialization of keys, as they are the entry points for the malicious input.