Medium severity4.3OSV Advisory· Published Jul 14, 2025· Updated Apr 15, 2026

CVE-2025-29606

Description

py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
libp2pPyPI	< 0.2.3	0.2.3

Affected products

Libp2p/Py Libp2pOSV
Range: v0.1.0, v0.1.1, v0.1.2, …

Patches

479b12f64d8e

https://github.com/libp2p/py-libp2pvia osv

e150d3153af3

rufuse large RSA keys

https://github.com/libp2p/py-libp2pKhwahish PatelMar 5, 2025via ghsa

commit

1 file changed · +26 −0

libp2p/crypto/rsa.py+26 −0 modified

@@ -9,16 +9,36 @@
     pkcs1_15,
 )
 
+from libp2p.crypto.exceptions import (
+    CryptographyError,
+)
 from libp2p.crypto.keys import (
     KeyPair,
     KeyType,
     PrivateKey,
     PublicKey,
 )
 
+MAX_RSA_KEY_SIZE = 4096
+
+
+def validate_rsa_key_size(key: RsaKey) -> None:
+    """
+    Validate that an RSA key's size is within acceptable bounds.
+
+    :param key: The RSA key to validate
+    :raises CryptographyError: If the key size exceeds the maximum allowed size
+    """
+    key_size = key.size_in_bits()
+    if key_size > MAX_RSA_KEY_SIZE:
+        msg = f"RSA key size {key_size} "
+        msg += f"exceeds maximum allowed size {MAX_RSA_KEY_SIZE}"
+        raise CryptographyError(msg)
+
 
 class RSAPublicKey(PublicKey):
     def __init__(self, impl: RsaKey) -> None:
+        validate_rsa_key_size(impl)
         self.impl = impl
 
     def to_bytes(self) -> bytes:
@@ -27,6 +47,7 @@ def to_bytes(self) -> bytes:
     @classmethod
     def from_bytes(cls, key_bytes: bytes) -> "RSAPublicKey":
         rsakey = RSA.import_key(key_bytes)
+        validate_rsa_key_size(rsakey)
         return cls(rsakey)
 
     def get_type(self) -> KeyType:
@@ -43,10 +64,15 @@ def verify(self, data: bytes, signature: bytes) -> bool:
 
 class RSAPrivateKey(PrivateKey):
     def __init__(self, impl: RsaKey) -> None:
+        validate_rsa_key_size(impl)
         self.impl = impl
 
     @classmethod
     def new(cls, bits: int = 2048, e: int = 65537) -> "RSAPrivateKey":
+        if bits > MAX_RSA_KEY_SIZE:
+            msg = f"Requested RSA key size {bits} "
+            msg += f"exceeds maximum allowed size {MAX_RSA_KEY_SIZE}"
+            raise CryptographyError(msg)
         private_key_impl = RSA.generate(bits, e=e)
         return cls(private_key_impl)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x8c6-gj59-6rx8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-29606ghsaADVISORY
github.com/libp2p/py-libp2p/commit/e150d3153af30530ce61d751bc166e099f1ead7aghsaWEB
github.com/libp2p/py-libp2p/compare/v0.2.2...v0.2.3nvdWEB
github.com/libp2p/py-libp2p/issues/526nvdWEB
github.com/libp2p/py-libp2p/pull/531/filesnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000