GHSA-wc36-xgcc-jwpr: 
Rust vulnerability analysis and mitigation

A high-severity security vulnerability was identified in the libp2p-core Rust crate, affecting versions >= 0.30.0-rc.1 and < 0.30.2. The vulnerability was discovered and reported on February 7, 2022, and was published to the GitHub Advisory Database on June 17, 2022. The issue involves a failure to verify the public key of a SignedEnvelope against the PeerId in a PeerRecord, where the system did not properly validate the relationship between these components (GitHub Advisory, RustSec Advisory).

The vulnerability specifically affects the libp2p_core::PeerRecord::from_signed_envelope function. The core issue lies in the implementation's failure to verify that the public key used for creating the signature matches the peer ID of the peer record. The system would accept any combination as valid, regardless of whether the public key corresponded to the correct PeerId (RustSec Advisory).

This vulnerability allows malicious actors to republish an existing PeerRecord with a different PeerId, potentially compromising the integrity of peer identification and authentication within the libp2p networking stack (GitHub Advisory, RustSec Advisory).

The vulnerability has been patched in version 0.30.2 and versions >= 0.31.1. Users are strongly advised to upgrade to these patched versions to ensure proper verification of peer records and maintain system security (RustSec Advisory).