klever-go CVE-2026-49343
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The account-data trie syncers leak bounded throttler slots on error paths in syncDataTrie(). Each failed trie sync permanently consumes one slot from the NumGoRoutinesThrottler, and the slot is never returned unless the sync succeeds or the root hash was already present.
I confirmed this on the current default branch develop at commit 9640d63 (observed on May 20, 2026). I also confirmed the bug with a runtime PoC using the real timeout path in trieSyncer.StartSyncing(): two timed-out sync attempts are enough to exhaust a throttler with capacity 2.
This affects the epoch bootstrap path because syncUserAccountsState() and syncKappAccountsState() create bounded throttlers and abort bootstrap immediately if the syncer returns an error. Once enough trie-root sync attempts fail, the syncer cannot make forward progress and bootstrap fails.
Affected Components
data/syncer/userAccountsSyncer.godata/syncer/kappAccountsSyncer.godata/trie/sync.gocore/throttler/numGoRoutinesThrottler.gocore/bootstrap/process.go
Affected Version
Verified on:
developHEAD9640d63
Please check whether the same code is present in supported 1.7.x releases.
Suggested Severity
High
Vulnerability Details
Root Cause
Both account-data syncers call StartProcessing() before creating / starting the trie syncer, but they only call EndProcessing() on the success path and on the duplicate-root early return.
userAccountsSyncer.syncDataTrie():
func (u *userAccountsSyncer) syncDataTrie(rootHash []byte, ssh data.SyncStatisticsHandler, ctx context.Context) error {
u.throttler.StartProcessing()
u.syncerMutex.Lock()
if _, ok := u.dataTries[string(rootHash)]; ok {
u.syncerMutex.Unlock()
u.throttler.EndProcessing()
return nil
}
dataTrie, err := trie.NewTrie(...)
if err != nil {
u.syncerMutex.Unlock()
return err
}
trieSyncer, err := trie.NewTrieSyncer(arg)
if err != nil {
u.syncerMutex.Unlock()
return err
}
u.syncerMutex.Unlock()
err = trieSyncer.StartSyncing(rootHash, ctx)
if err != nil {
return err
}
u.throttler.EndProcessing()
return nil
}
The same bug exists in kappAccountsSyncer.syncDataTrie().Missing slot release paths
After StartProcessing(), the following error paths return without EndProcessing():
- trie.NewTrie(...) returns an error
- trie.NewTrieSyncer(...) returns an error
- trieSyncer.StartSyncing(...) returns an error
Why this matters
NumGoRoutinesThrottler is a strict bounded counter:
func (ngrt *NumGoRoutinesThrottler) CanProcess() bool {
valCounter := atomic.LoadInt32(&ngrt.counter)
return valCounter < ngrt.max
}
func (ngrt *NumGoRoutinesThrottler) StartProcessing() {
atomic.AddInt32(&ngrt.counter, 1)
}
func (ngrt *NumGoRoutinesThrottler) EndProcessing() {
atomic.AddInt32(&ngrt.counter, -1)
}
Once leaked, a slot remains consumed for the lifetime of that throttler instance.
The parent loops in both syncers wait for capacity before starting the next account-data trie sync:
for !u.throttler.CanProcess() {
select {
case <-time.After(timeBetweenRetries):
continue
case <-ctx.Done():
return common.ErrTimeIsOut
}
}So after enough failures, further roots stop progressing and the sync operation eventually returns time is out.
Bootstrap impact
Epoch bootstrap uses these syncers directly and aborts on any error:
err = e.syncUserAccountsState(e.epochStartMeta.Header.TrieRoot)
if err != nil {
return nil, nil, err
}
err = e.syncKappAccountsState(e.epochStartMeta.Header.KAppsTrieRoot)
if err != nil {
return nil, nil, err
}The throttlers for these paths are real bounded throttlers created from numConcurrentTrieSyncers.
Proof of Concept
I verified the bug with the real timeout path, not only with a canceled context.
The PoC below uses:
- a real NumGoRoutinesThrottler with capacity 2
- a real trieSyncer.StartSyncing()
- an empty trie-node cache and a request handler that never supplies nodes
- a short sync timeout (1s) so StartSyncing() returns trie.ErrTimeIsOut
After the first failed sync, one slot remains leaked. After the second failed sync, the throttler is exhausted.
PoC test
package syncer
import (
"context"
"testing"
"time"
commonmock "github.com/klever-io/klever-go/common/mock"
corethrottler "github.com/klever-io/klever-go/core/throttler"
"github.com/klever-io/klever-go/data"
"github.com/klever-io/klever-go/data/trie"
triestats "github.com/klever-io/klever-go/data/trie/statistics"
"github.com/stretchr/testify/require"
)
func newBaseSyncerForTimeoutPOC(t *testing.T) *baseAccountsSyncer {
t.Helper()
storageManager, err := trie.NewTrieStorageManagerWithoutPruning(commonmock.NewMemDbMock())
require.NoError(t, err)
return &baseAccountsSyncer{
hasher: commonmock.HasherMock{},
marshalizer: &commonmock.MarshalizerMock{},
trieSyncers: make(map[string]data.TrieSyncer),
dataTries: make(map[string]data.Trie),
trieStorageManager: storageManager,
requestHandler: &commonmock.RequestHandlerStub{},
timeout: time.Second,
cacher: commonmock.NewCacherStub(),
maxTrieLevelInMemory: 5,
name: "timeout-poc",
maxHardCapForMissingNodes: 1,
}
}
func TestPOC_UserAccountsSyncer_LeaksThrottlerSlotOnTrieTimeout(t *testing.T) {
thr, err := corethrottler.NewNumGoRoutinesThrottler(2)
require.NoError(t, err)
s := &userAccountsSyncer{
baseAccountsSyncer: newBaseSyncerForTimeoutPOC(t),
throttler: thr,
}
err = s.syncDataTrie([]byte("missing-root-1"), triestats.NewTrieSyncStatistics(), context.Background())
require.ErrorIs(t, err, trie.ErrTimeIsOut)
require.True(t, thr.CanProcess())
err = s.syncDataTrie([]byte("missing-root-2"), triestats.NewTrieSyncStatistics(), context.Background())
require.ErrorIs(t, err, trie.ErrTimeIsOut)
require.False(t, thr.CanProcess())
}
func TestPOC_KappAccountsSyncer_LeaksThrottlerSlotOnTrieTimeout(t *testing.T) {
thr, err := corethrottler.NewNumGoRoutinesThrottler(2)
require.NoError(t, err)
s := &kappAccountsSyncer{
baseAccountsSyncer: newBaseSyncerForTimeoutPOC(t),
throttler: thr,
}
err = s.syncDataTrie([]byte("missing-root-1"), triestats.NewTrieSyncStatistics(), context.Background())
require.ErrorIs(t, err, trie.ErrTimeIsOut)
require.True(t, thr.CanProcess())
err = s.syncDataTrie([]byte("missing-root-2"), triestats.NewTrieSyncStatistics(), context.Background())
require.ErrorIs(t, err, trie.ErrTimeIsOut)
require.False(t, thr.CanProcess())
}Command used
go test ./data/syncer -run 'TestPOC_(User|Kapp)AccountsSyncer_LeaksThrottlerSlotOnTrieTimeout' -count=1Result
ok github.com/klever-io/klever-go/data/syncer 4.005sThis confirms the leak with the real timeout path from trieSyncer.StartSyncing().
Impact
An attacker who can repeatedly cause trie-node sync failures or timeouts during bootstrap can consume the bounded sync throttler until no capacity remains.
Once enough slots are leaked:
- additional account-data trie sync attempts stop making progress
- the parent loop waits until context timeout
- SyncAccounts() fails
- epoch bootstrap fails
This is a core node availability issue. It affects fresh/restarting nodes and validators that need to bootstrap or resync state.
This is not a theoretical issue:
- StartSyncing() performs network-dependent trie-node retrieval
- it already has explicit timeout / failure paths
- the leaked throttler slots are confirmed by runtime PoC
Recommended Fix
Release the slot with defer immediately after StartProcessing() and cancel the defer only if ownership is intentionally transferred, which is not the case here.
Example fix pattern:
func (u *userAccountsSyncer) syncDataTrie(rootHash []byte, ssh data.SyncStatisticsHandler, ctx context.Context) error {
u.throttler.StartProcessing()
defer u.throttler.EndProcessing()
u.syncerMutex.Lock()
defer u.syncerMutex.Unlock()
if _, ok := u.dataTries[string(rootHash)]; ok {
return nil
}
dataTrie, err := trie.NewTrie(...)
if err != nil {
return err
}
trieSyncer, err := trie.NewTrieSyncer(arg)
if err != nil {
return err
}
u.trieSyncers[string(rootHash)] = trieSyncer
return trieSyncer.StartSyncing(rootHash, ctx)
}The same pattern should be applied to:
- data/syncer/userAccountsSyncer.go
- data/syncer/kappAccountsSyncer.go
References
- data/syncer/userAccountsSyncer.go
- data/syncer/kappAccountsSyncer.go
- data/trie/sync.go
- core/throttler/numGoRoutinesThrottler.go
- core/bootstrap/process.go
- SECURITY.md
AnalysisAI
Throttler slot exhaustion in klever-go's account-data trie syncer enables unauthenticated remote attackers to permanently consume all NumGoRoutinesThrottler slots by causing repeated trie-node sync failures or timeouts during epoch bootstrap, halting node participation in consensus. Both userAccountsSyncer.syncDataTrie() and kappAccountsSyncer.syncDataTrie() call StartProcessing() but omit EndProcessing() on three distinct error paths, meaning each failed sync permanently leaks one slot for the lifetime of that throttler instance. A runtime proof-of-concept is publicly confirmed in GHSA-fw38-pc54-jvx9 showing that exactly N timeout failures exhaust a capacity-N throttler; no CISA KEV listing exists at time of analysis, but the operational impact on bootstrapping validators is severe.
Technical ContextAI
The affected package is pkg:go/github.com_klever-io_klever-go (all versions < 1.7.18), a Go-based Klever blockchain node implementation. The root cause (CWE-400: Uncontrolled Resource Consumption) is a missing defer pattern around NumGoRoutinesThrottler slot management in data/syncer/userAccountsSyncer.go and data/syncer/kappAccountsSyncer.go. The NumGoRoutinesThrottler (core/throttler/numGoRoutinesThrottler.go) uses atomic int32 operations as a strict bounded concurrency gate: StartProcessing() increments the counter, EndProcessing() decrements it, and CanProcess() blocks when the counter reaches its maximum. In syncDataTrie(), StartProcessing() is called before the trie creation sequence, but EndProcessing() only fires on the success path and the duplicate-root early return - three error exit paths (trie.NewTrie() failure, trie.NewTrieSyncer() failure, and trieSyncer.StartSyncing() timeout) all return without releasing the slot. The parent sync loop in both syncers polls CanProcess() before launching each trie sync; once exhausted, it blocks until context cancellation returns ErrTimeIsOut. The epoch bootstrap path in core/bootstrap/process.go calls these syncers serially and aborts immediately on any error, making throttler exhaustion a complete bootstrap failure.
RemediationAI
Upgrade to klever-go v1.7.18 immediately; release notes at https://github.com/klever-io/klever-go/releases/tag/v1.7.18 confirm this is a coordinated security release closing five remotely-triggerable DoS vulnerabilities with no breaking changes, no configuration changes, and no data migration required relative to v1.7.17. The fix introduces defer u.throttler.EndProcessing() immediately after StartProcessing() in both userAccountsSyncer.syncDataTrie() and kappAccountsSyncer.syncDataTrie(), ensuring the slot is unconditionally released on all exit paths including error returns and timeouts. If an immediate upgrade is not feasible, the most actionable compensating control is to restrict the node's P2P peer list to explicitly trusted, allowlisted peers using the node's peer management configuration, reducing the attacker's ability to induce sync timeouts via eclipse or network partition - note this reduces peer diversity and may slow legitimate state sync. Increasing numConcurrentTrieSyncers raises the number of failures required to exhaust the throttler but does not fix the leak and only delays exploitation. Neither workaround eliminates the vulnerability; upgrade to v1.7.18 is the only complete remediation.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fw38-pc54-jvx9