Skip to main content

CVE-2026-35405

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-04 https://github.com/libp2p/rust-libp2p GHSA-cqfx-gf56-8x59
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 13:52 vuln.today
cvss_changed
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:45 vuln.today
CVE Published
Apr 04, 2026 - 06:33 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

Thelibp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register unique namespaces in a loop, and the server accepts the requests, allocating memory for each registration without pushback. If an attacker continues submitting malicous requests for long enough, (or with multiple sybil peers) the server process crashes due to OOM.

No auth is required; therefore, any peer on the network can do this.

Details

the bug is in Registrations::add() inside protocols/rendezvous/src/server.rs.

the store uses a BiMap keyed on (PeerId, Namespace) so yes, a peer can't register the *same* namespace twice. but there's nothing stopping it from registering 10,000 *different* namespaces. each unique one gets its own entry in:

  • registrations_for_peer (BiMap)
  • registrations (HashMap)
  • next_expiry (FuturesUnordered a new heap-allocated BoxFuture per registration)

namespace strings are only validated for length (MAX_NAMESPACE = 255), not count. there's no max_registrations_per_peer anywhere in Config or the rest of the codebase.

making it worse MAX_TTL = 72 hours. so every registration just sits there for up to 3 days. disconnecting doesn't clean anything up either, entries only go away when the TTL fires.

protocols/rendezvous/src/server.rs
  └── Registrations::add()   ← no per-peer count check anywhere

protocols/rendezvous/src/lib.rs
  ├── MAX_NAMESPACE = 255    ← length capped, count is not
  └── MAX_TTL = 72h          ← entries persist a long time

fix would be adding something like max_registrations_per_peer to Config and checking it at the top of add() before inserting anything.

PoC

tested on libp2p v0.56.1, built from source.

step 1 - start the rendezvous server (uses the example from the repo):

bash
cargo run --manifest-path examples/rendezvous/Cargo.toml --bin rendezvous-example

step 2 - run the flood client (attached as rzv-flood.rs):

bash
cargo run --manifest-path examples/rendezvous/Cargo.toml --bin rzv-flood

it connects as a single peer and registers 10,000 unique namespaces (flood-00000000 through flood-00009999), chaining each registration on the confirmed Registered event from the previous one.

server accepted every single one. not one rejection.

memory on the server side (via ps aux RSS column):

baseline:       ~18 MB
mid flood:      ~26 MB
after 10k regs: ~28 MB

that's from one peer. scale to 100 sybil peers doing the same thing and you're looking at ~1GB. 1000 peers and the server is dead.

<img width="1032" height="124" alt="image" src="https://github.com/user-attachments/assets/f778f179-2aa1-4485-940c-25e218733fa8" />

*server RSS climbing during the flood*

<img width="553" height="760" alt="image" src="https://github.com/user-attachments/assets/691b0f52-dda0-443f-a3c2-98c8c6336f2f" />

*10,000 registrations confirmed, zero rejected*

Impact

any node running libp2p-rendezvous server-side is affected. rendezvous servers are typically well-known, publicly reachable nodes taking one down disrupts peer discovery for all clients depending on it. any rust-libp2p based project that deploys a rendezvous point is at risk.

no special position on the network needed. no crypto work. just open a connection and send REGISTER in a loop.

AnalysisAI

Unbounded namespace registration in libp2p-rendezvous allows remote unauthenticated attackers to trigger out-of-memory conditions on rendezvous servers. The Rust implementation accepts unlimited unique namespace registrations per peer with 72-hour TTLs, enabling resource exhaustion via repeated REGISTER messages. Confirmed publicly available exploit code exists. CVSS 7.5 (High) reflects network accessibility and lack of authentication barriers, while the straightforward attack vector (simple loop of registration requests) presents immediate risk to public rendezvous nodes critical for peer discovery in libp2p networks.

Technical ContextAI

libp2p-rendezvous implements a peer discovery protocol where nodes register with namespace identifiers on rendezvous servers. The vulnerability resides in the Registrations::add() method within protocols/rendezvous/src/server.rs, which uses a BiMap keyed on (PeerId, Namespace) tuples. While duplicate namespace registrations from the same peer are prevented, the implementation enforces only namespace string length limits (MAX_NAMESPACE = 255 bytes) without any per-peer registration count restrictions. Each unique namespace registration allocates memory across three data structures: registrations_for_peer BiMap, registrations HashMap, and next_expiry FuturesUnordered collection with heap-allocated BoxFuture instances. The 72-hour maximum TTL (MAX_TTL) causes entries to persist even after peer disconnection, as cleanup occurs only upon TTL expiration. This maps to CWE-770 (Allocation of Resources Without Limits or Throttling), a common anti-pattern in network services lacking admission control.

RemediationAI

Apply vendor-released patches by upgrading to fixed versions of libp2p-rendezvous as specified in the GitHub security advisory at https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59. The recommended fix involves adding a max_registrations_per_peer configuration parameter to the Config structure and implementing count validation at the beginning of the Registrations::add() method before allocating memory for new entries. Until patches are applied, implement network-level rate limiting on REGISTER message types per peer IP address, reduce MAX_TTL configuration to minimize resource persistence windows, and monitor rendezvous server memory consumption for anomalous growth patterns. Deploy rendezvous servers behind reverse proxies or load balancers capable of enforcing per-peer connection and request rate limits. For production environments, consider implementing allowlists of trusted peer IDs if the use case permits authenticated rendezvous participation.

Share

CVE-2026-35405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy