Skip to content

Identity Spoofing in libp2p-secio

Critical severity GitHub Reviewed Published Aug 23, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm libp2p-secio (npm)

Affected versions

< 0.9.0

Patched versions

0.9.0

Description

Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability.

Recommendation

Update to version 0.9.0 or later.

References

Reviewed Aug 22, 2019
Published to the GitHub Advisory Database Aug 23, 2019
Last updated Jan 9, 2023

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-rch7-f4h5-x9rj

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.