CVE-2025-29606
BaseFortify
Publication date: 2025-07-14
Last updated on: 2025-07-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libp2p | py-libp2p | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in py-libp2p before version 0.2.3 allows a malicious peer to cause a denial of service by exploiting the lack of a length limit on RSA keys. Specifically, an attacker can use excessively large RSA keys to force a target node to spend excessive computational resources verifying signatures, leading to resource exhaustion and degraded performance or service unavailability. The root cause is that the system does not enforce a maximum RSA key size, allowing oversized keys to be processed. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service on systems using vulnerable versions of py-libp2p. An attacker can send very large RSA keys that consume excessive CPU resources during signature verification, potentially slowing down or crashing the affected node. This can degrade system performance, disrupt network communications, and reduce availability of services relying on py-libp2p. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large RSA keys being used or received by the py-libp2p implementation. Since the issue involves resource exhaustion caused by large RSA keys, you can inspect logs or network traffic for RSA keys exceeding the normal size (greater than 4096 bits). Specific commands depend on your environment, but generally, you can capture network traffic and extract RSA key sizes from handshake messages or logs. For example, using tools like Wireshark or tshark to filter and analyze TLS or libp2p handshake packets for RSA key sizes. Additionally, reviewing application logs for errors related to RSA key validation failures may help detect attempts to exploit this vulnerability. However, no explicit detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update py-libp2p to version 0.2.3 or later, which includes enforcement of a maximum RSA key size limit of 4096 bits. This update prevents the acceptance or generation of excessively large RSA keys that could cause resource exhaustion. If updating is not immediately possible, consider implementing network-level controls to block or limit connections presenting unusually large RSA keys, and monitor for suspicious activity involving RSA key exchanges. The primary mitigation is the code update that enforces RSA key size validation as described in the patch. [2]