Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, network-libp2p discovery uses a libp2p ConnectionHandler state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a panic!(\"Inbound already connected\") / panic!(\"Outbound already connected\") path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
AnalysisAI
Remote unauthenticated denial of service crashes Nimiq blockchain nodes by exploiting a protocol state machine flaw. Attackers can force panic conditions in the libp2p discovery handler by opening duplicate protocol substreams, immediately taking peer-to-peer networking offline until manual restart. Vendor-released patch available in version 1.3.0 with no workarounds for unpatched systems, creating urgent upgrade requirement for blockchain node operators.
Technical ContextAI
Nimiq network-libp2p implements peer discovery using libp2p's ConnectionHandler state machine architecture. The vulnerability (CWE-617: Reachable Assertion) exists in the discovery protocol's substream management logic. The handler incorrectly assumes at most one inbound and one outbound discovery substream can exist per connection simultaneously. When a remote peer negotiates the discovery protocol a second time on an existing connection, the code hits hardcoded panic assertions ('panic!("Inbound already connected")' or 'panic!("Outbound already connected")') rather than gracefully handling the duplicate substream attempt. In Rust, panic! calls cause thread/task termination, which in this case crashes the entire networking swarm task. This affects all network-libp2p versions prior to 1.3.0 (CPE: cpe:2.3:a:nimiq:network-libp2p:*:*:*:*:*:*:*:* where version < 1.3.0).
RemediationAI
Upgrade to Nimiq network-libp2p version 1.3.0 or later immediately. The patch is formally released as part of core-rs-albatross v1.3.0, available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. The fix implementation can be reviewed in commit e0d4e01994f061bf41d3c2835bc74040d3c084f5. No workarounds exist for unpatched versions per the vendor advisory. Node operators must perform version upgrade and service restart to remediate. For environments requiring staged deployment, prioritize internet-facing validator nodes and public peers first, as these have highest exposure to untrusted remote peers. Compensating controls are ineffective since the vulnerability exists in core protocol handling logic rather than configuration-dependent features. Network-level filtering cannot prevent exploitation as legitimate discovery protocol traffic is indistinguishable from malicious duplicate substream attempts until protocol negotiation occurs.
More in Network Libp2P
View allSame weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25058