Failure to validate signature during handshake in @chainsafe/libp2p-noise
Description
@chainsafe/libp2p-noise contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. @chainsafe/libp2p-noise before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Signature validation bug in @chainsafe/libp2p-noise before 4.1.2 & 5.0.3 allows MITM to impersonate peers and cause bans.
Vulnerability
The @chainsafe/libp2p-noise TypeScript implementation of the Noise protocol used in libp2p does not correctly validate signatures during the handshake process in versions before 4.1.2 and 5.0.3 [1][3]. This flaw resides in the signature verification step of the handshake, allowing an attacker to inject or alter signed payloads without detection.
Exploitation
An attacker who can perform a man-in-the-middle attack on the communication channel can exploit this by presenting invalid or forged signatures that the handshake code improperly accepts [3]. No additional authentication or user interaction is required beyond network positioning to intercept traffic between two legitimate peers.
Impact
A successful exploit allows the attacker to pose as any other peer in the network [3]. This impersonation can cause the legitimate target peer to be blamed for misbehavior and subsequently banned by other nodes, disrupting the peer-to-peer connectivity and potentially leading to denial of service for the targeted peer [1][3].
Mitigation
Users should upgrade to version 4.1.2 or 5.0.3, which contain the fix [1][3]. The fix is available in the GitHub pull request #130 and includes corrected signature validation logic [1]. No known workarounds exist for unpatched versions [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@chainsafe/libp2p-noisenpm | < 4.1.2 | 4.1.2 |
@chainsafe/libp2p-noisenpm | >= 5.0.0, < 5.0.3 | 5.0.3 |
Affected products
3- Range: <=4.1.1 || <=5.0.2
- ChainSafe/js-libp2p-noisev5Range: < 4.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-j3ff-xp6c-6gccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24759ghsaADVISORY
- github.com/ChainSafe/js-libp2p-noise/pull/130ghsax_refsource_MISCWEB
- github.com/ChainSafe/js-libp2p-noise/releases/tag/v5.0.3ghsax_refsource_MISCWEB
- github.com/ChainSafe/js-libp2p-noise/security/advisories/GHSA-j3ff-xp6c-6gccghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.