Primary

Context

Nimiq Network Libp2p Uncontrolled Memory Allocation Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in the 'nimiq/network-libp2p' subcrate of the Nimiq Proof-of-Stake client implementation. This issue arises from uncontrolled memory allocation in the 'Discovery' network message handling, where a buffer is allocated based on a length value provided by the peer, without enforcing an upper limit. As a result, a peer can cause allocations of up to 4 GB, leading to memory exhaustion and node crashes. This vulnerability can be repeatedly exploited, as Discovery messages are frequently exchanged for peer discovery.

Impact

Exploitation of this vulnerability can cause memory exhaustion, leading to node crashes.

Remediation

Users can upgrade to version 1.1.0 or later, where this vulnerability has been patched by limiting the discovery message size to 1 MB and implementing a mechanism to resize the message buffer incrementally as data is read.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nimiq Network Libp2p Uncontrolled Memory Allocation Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating