CVE-2025-29606: 
Python vulnerability analysis and mitigation

py-libp2p before version 0.2.3 contains a vulnerability that allows a peer to cause a denial of service (resource consumption) via a large RSA key. The vulnerability was discovered by researchers from FUDAN University and was assigned CVE-2025-29606. The issue was reported on March 2, 2025, and subsequently fixed in version 0.2.3 (NVD, GitHub Issue).

The vulnerability stems from the absence of length restrictions on RSA keys in py-libp2p. Without a maximum key size limit, a malicious peer could use exceptionally large RSA keys to force a node to spend excessive time performing signature verification. The fix implemented in version 0.2.3 introduces a maximum RSA key size limit of 4096 bits to prevent resource exhaustion attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can lead to denial of service through resource exhaustion. When exploited, a malicious peer can force a target node to expend significant computational resources verifying signatures of large RSA keys, potentially impacting system performance and availability (GitHub Issue).

The vulnerability has been fixed in py-libp2p version 0.2.3 by implementing a maximum RSA key size limit of 4096 bits. Users should upgrade to version 0.2.3 or later to protect against this vulnerability. The fix includes validation logic to check for invalid key sizes and prevent the use of oversized RSA keys (GitHub PR).