GMS-2019-131: Identity Spoofing in libp2p-secio

August 23, 2019 (updated August 17, 2021)

Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability.

Recommendation

Update to version 0.9.0 or later.

References

github.com/advisories/GHSA-rch7-f4h5-x9rj
github.com/libp2p/js-libp2p-secio/pull/95
nodesecurity.io/advisories/558
snyk.io/vuln/npm:libp2p-secio:20180115
www.npmjs.com/advisories/558

Code Behaviors & Features

Detect and mitigate GMS-2019-131 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →