GHSA-V5HW-CV9C-RPG7

Vulnerability from github – Published: 2026-04-04 06:34 – Updated: 2026-04-07 19:59
VLAI?
Summary
libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
Details

Summary

The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.

Details

Pagination state is stored in:

HashMap<Cookie, HashSet<RegistrationId>>

On Message::Discover:

remote peer
→ DISCOVER
→ handle_request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookies

There is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.

PoC

A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.

Impact

Remote state amplification leading to memory exhaustion.

Properties:

  • etwork reachable
  • no authentication required
  • low attack complexity
  • protocol-compliant traffic

Impacts rendezvous nodes exposed to untrusted peers.

Possible Fixes

  1. Global cap + eviction

Bound cookie storage (MAX_COOKIES_TRACKED) with FIFO/expiry aware eviction.
Tradeoff: attacker can churn cookies and evict legitimate pagination state.

  1. Stateless cookies

Encode pagination state in authenticated cookies instead of storing server-side state.
Tradeoff: more complex implementation.

  1. Rate limiting / per-peer quotas

Limit cookie creation per peer.
Tradeoff: requires peer tracking.

Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libp2p-rendezvous"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:34:29Z",
    "nvd_published_at": "2026-04-07T15:17:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue `DISCOVER` requests and force unbounded memory growth.\n\n### Details\n\nPagination state is stored in:\n\n```rs\nHashMap\u003cCookie, HashSet\u003cRegistrationId\u003e\u003e\n```\n\nOn `Message::Discover`:\n\n```\nremote peer\n\u2192 DISCOVER\n\u2192 handle_request\n\u2192 registrations.get(...)\n\u2192 new cookie generated\n\u2192 cookie inserted into Registrations::cookies\n```\n\nThere is **no upper bound or eviction policy**, so repeated DISCOVER requests grow this map indefinitely.\n\n\n### PoC\nA reproduction test and minimal harness will be provided in a private fork in a follow-up comment.\n\n### Impact\n\n**Remote state amplification leading to memory exhaustion.**\n\n\nProperties:\n\n- etwork reachable\n- no authentication required\n- low attack complexity\n- protocol-compliant traffic\n\nImpacts rendezvous nodes exposed to untrusted peers.\n---\n\n### Possible Fixes\n\n1. **Global cap + eviction**\n\nBound cookie storage (`MAX_COOKIES_TRACKED`) with FIFO/expiry aware eviction.  \nTradeoff: attacker can churn cookies and evict legitimate pagination state.\n\n2. **Stateless cookies**\n\nEncode pagination state in authenticated cookies instead of storing server-side state.  \nTradeoff: more complex implementation.\n\n3. **Rate limiting / per-peer quotas**\n\nLimit cookie creation per peer.  \nTradeoff: requires peer tracking.",
  "id": "GHSA-v5hw-cv9c-rpg7",
  "modified": "2026-04-07T19:59:51Z",
  "published": "2026-04-04T06:34:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35457"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/rust-libp2p"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.