libp2p Rust Gossipsub Backoff Handling Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the libp2p Rust implementation, specifically within the Gossipsub messaging protocol, in versions prior to 0.49.3. The issue arises because the Gossipsub implementation accepts PRUNE control messages with attacker-controlled backoff values. This can lead to unchecked time arithmetic, causing overflow errors when the backoff value is excessively large, such as u64::MAX. When this overflow occurs, it triggers a panic in the networking state machine, crashing the application. The vulnerability can be exploited remotely over a standard libp2p connection, without the need for authentication, by sending a single crafted PRUNE message with a large backoff value. This issue has been patched in version 0.49.3.

Impact

Exploitation of this vulnerability causes a remote, unauthenticated denial-of-service condition, crashing the application that is running a libp2p Gossipsub listener and vulnerable to the affected backoff-handling logic.

Reproduction

To reproduce this vulnerability, establish a libp2p Gossipsub session with a target node. Once the session is active, send a PRUNE control message containing a very large backoff value, such as u64::MAX. When the target node processes this message, the oversized backoff will cause a time arithmetic overflow, leading to a panic and crash of the networking state machine.

Remediation

Users are advised to upgrade to libp2p Rust version 0.49.3 or later, which includes a fix for this vulnerability by improving the handling of Gossipsub backoff values.