npm

Severity: critical

Identity Spoofing

libp2p-secio

Overview

Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability.

Remediation

Update to version 0.9.0 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Jan 15th, 2018
  2. reported

    Initial report by Maciej Krüger
    Jan 15th, 2018