Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.
AnalysisAI
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker to crash the node's RPC task by injecting a signed PeerContact with an empty addresses list into the libp2p peer discovery layer. The crash is deferred: the malicious contact is accepted and stored silently, but any subsequent call to get_address_book - from an RPC client or web client - triggers an unconditional Rust panic via .expect() on an empty iterator. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and network-accessible vector make casual exploitation plausible against any exposed node operator workflow.
Technical ContextAI
The affected component is the libp2p-based peer discovery subsystem within Nimiq's Rust blockchain implementation, identified by CPE cpe:2.3:a:nimiq:core-rs-albatross:*:*:*:*:*:*:*:*. Peer discovery operates via signed PeerContact messages, which can legally carry an empty addresses field - no protocol-level validation enforces at least one address. The root cause maps to CWE-754 (Improper Check for Unusual or Exceptional Conditions): the PeerContactBook::known_peers function called addresses.first().expect('every peer should have at least one address') without guarding against an empty list. In Rust, .expect() on a None value triggers an unrecoverable panic, which depending on the panic runtime setting either terminates the thread/task or the entire process. The fix in PR #3715 replaced .map() with .filter_map() using the ? operator, silently skipping contacts whose address list is empty rather than panicking.
RemediationAI
The primary fix is upgrading core-rs-albatross to version 1.4.0, released at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0. The upstream patch is confirmed via PR #3715 (https://github.com/nimiq/core-rs-albatross/pull/3715), which replaces the panicking .expect() call with a .filter_map() that silently drops peer contacts carrying empty address lists. If an immediate upgrade is not feasible, operators can reduce exposure by restricting access to the RPC and web client endpoints that invoke get_address_book - blocking external callers prevents the panic trigger, though the malicious contacts will still accumulate in memory. A further compensating control is network-level egress/ingress filtering to limit which peers can participate in libp2p discovery, reducing the attacker's ability to insert malicious PeerContact entries; however, this degrades peer diversity and may affect blockchain synchronization. Neither workaround eliminates the root cause - upgrading to v1.4.0 is the definitive remediation.
More in Core Rs Albatross
View allInteger truncation in Nimiq core-rs-albatross's skip block proof verification allows authenticated validators to forge c
Timestamp manipulation in Nimiq Core Rust implementation (nimiq-blockchain 1.3.0 and earlier) allows authenticated block
Nimiq core-rs-albatross validators prior to version 1.3.0 can be remotely crashed via malformed Tendermint proposals. An
Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic de
Denial of service in Nimiq Core RS Albatross prior to version 1.3.0 allows remote attackers to crash full nodes by sendi
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31195