CVE-2023-40583
CVE-2023-40583 is a high-severity vulnerability in Protocol Libp2p with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (51st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-400
- Affected product: Protocol Libp2p
- Published:
- Last modified:
Description
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
Frequently asked questions
- What is CVE-2023-40583?
- libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.
- How severe is CVE-2023-40583?
- CVE-2023-40583 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2023-40583 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (51st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-40583?
- CVE-2023-40583 affects Protocol Libp2p. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-40583?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-40583 published?
- CVE-2023-40583 was published on 2023-08-25 and last updated on 2026-06-17.
References
- https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd
- https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4
- https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7
- https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3
Affected products (1)
- cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*
More vulnerabilities in Protocol Libp2p
- CVE-2026-35457 — High (CVSS 8.2): libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the…
- CVE-2026-35405 — High (CVSS 7.5): libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1,…
- CVE-2022-23492 — High (CVSS 7.5): go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p…
- CVE-2022-23487 — High (CVSS 7.5): js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of…
- CVE-2022-23486 — High (CVSS 7.5): libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an…
All CVEs affecting Protocol Libp2p →
Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities
- CVE-2026-46775 — Critical (CVSS 9.9): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0.…
- CVE-2025-61303 — Critical (CVSS 9.8): Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a…
- CVE-2025-43193 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7,…
- CVE-2025-24269 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to…
- CVE-2025-24264 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4,…
- CVE-2025-24260 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5,…
Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →