Skip to main content

nimiq-libp2p CVE-2026-34062

| EUVDEUVD-2026-25056 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 17:11 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 07:06 vuln.today
Patch available
Apr 22, 2026 - 20:32 EUVD
EUVD ID Assigned
Apr 22, 2026 - 20:01 euvd
EUVD-2026-25056
Analysis Generated
Apr 22, 2026 - 20:01 vuln.today
CVE Published
Apr 22, 2026 - 19:23 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, MessageCodec::read_request and read_response call read_to_end() on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because Behaviour::new also sets with_max_concurrent_streams(1000), the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.

AnalysisAI

Denial of service in nimiq-libp2p prior to version 1.3.0 allows remote peers to exhaust node resources by sending partial frames on inbound substreams and keeping them open. The vulnerability combines unbounded stream reading via read_to_end() with a high concurrent stream limit of 1000, enabling attackers to accumulate stalled slots and degrade network availability without authentication or user interaction.

Technical ContextAI

nimiq-libp2p is a Rust-based networking library implementing the Nimiq blockchain protocol atop libp2p. The vulnerability exists in the MessageCodec implementation, specifically in the read_request() and read_response() methods, which call read_to_end() on inbound substreams. This design flaw means the codec will block indefinitely waiting for stream closure when a peer sends a partial frame without completing the transmission. The Behaviour::new() constructor exacerbates this by setting with_max_concurrent_streams(1000), far exceeding libp2p's default concurrency limits. Under CWE-770 (Allocation of Resources Without Limits or Throttling), this allows attackers to accumulate many partially-read streams, consuming connection state and memory until the node becomes unresponsive.

RemediationAI

Upgrade nimiq-libp2p to version 1.3.0 or later immediately. The vendor-released patch (commit c021a5337b808c73571b44999f9753051bac7508, tagged as v1.3.0) fixes the unbounded stream reading and concurrent stream limits. Update Cargo.toml or equivalent package manifest to pin nimiq-libp2p >= 1.3.0 and run cargo update. No workarounds are available per the vendor advisory; patching is the only mitigation. Network operators should prioritize this update to prevent exploitation by peers on the Nimiq network.

Share

CVE-2026-34062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy