py-libp2p Denial-of-Service Vulnerability via Large RSA Keys
Vulnerability
A denial-of-service vulnerability has been identified in py-libp2p versions prior to 0.2.3. This issue allows a peer to cause resource exhaustion by sending large RSA keys, which the affected node must process during signature verification. The lack of a length limit for RSA keys enables this resource consumption attack.
Impact
Exploitation of this vulnerability leads to resource exhaustion on the affected node, causing it to spend excessive time verifying signatures for large RSA keys.
Reproduction
To reproduce this vulnerability, send a large RSA key to a node running a vulnerable version of py-libp2p. The node will then experience a resource exhaustion attack as it processes the oversized key during signature verification.
Remediation
Users can upgrade to py-libp2p version 0.2.3 or later, where this vulnerability has been addressed by implementing a maximum RSA key size limit of 4096 bits.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.