Skip to main content

klever-go CVE-2026-49343

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-05 https://github.com/klever-io/klever-go GHSA-fw38-pc54-jvx9
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 05, 2026 - 17:29 vuln.today
Analysis Generated
Jun 05, 2026 - 17:29 vuln.today

DescriptionGitHub Advisory

Summary

The account-data trie syncers leak bounded throttler slots on error paths in syncDataTrie(). Each failed trie sync permanently consumes one slot from the NumGoRoutinesThrottler, and the slot is never returned unless the sync succeeds or the root hash was already present.

I confirmed this on the current default branch develop at commit 9640d63 (observed on May 20, 2026). I also confirmed the bug with a runtime PoC using the real timeout path in trieSyncer.StartSyncing(): two timed-out sync attempts are enough to exhaust a throttler with capacity 2.

This affects the epoch bootstrap path because syncUserAccountsState() and syncKappAccountsState() create bounded throttlers and abort bootstrap immediately if the syncer returns an error. Once enough trie-root sync attempts fail, the syncer cannot make forward progress and bootstrap fails.

Affected Components

  • data/syncer/userAccountsSyncer.go
  • data/syncer/kappAccountsSyncer.go
  • data/trie/sync.go
  • core/throttler/numGoRoutinesThrottler.go
  • core/bootstrap/process.go

Affected Version

Verified on:

  • develop HEAD 9640d63

Please check whether the same code is present in supported 1.7.x releases.

Suggested Severity

High

Vulnerability Details

Root Cause

Both account-data syncers call StartProcessing() before creating / starting the trie syncer, but they only call EndProcessing() on the success path and on the duplicate-root early return.

userAccountsSyncer.syncDataTrie():

go
  func (u *userAccountsSyncer) syncDataTrie(rootHash []byte, ssh data.SyncStatisticsHandler, ctx context.Context) error {
      u.throttler.StartProcessing()

      u.syncerMutex.Lock()
      if _, ok := u.dataTries[string(rootHash)]; ok {
          u.syncerMutex.Unlock()
          u.throttler.EndProcessing()
          return nil
      }

      dataTrie, err := trie.NewTrie(...)
      if err != nil {
          u.syncerMutex.Unlock()
          return err
      }

      trieSyncer, err := trie.NewTrieSyncer(arg)
      if err != nil {
          u.syncerMutex.Unlock()
          return err
      }

      u.syncerMutex.Unlock()

      err = trieSyncer.StartSyncing(rootHash, ctx)
      if err != nil {
          return err
      }

      u.throttler.EndProcessing()
      return nil
  }

  The same bug exists in kappAccountsSyncer.syncDataTrie().

Missing slot release paths

After StartProcessing(), the following error paths return without EndProcessing():

  1. trie.NewTrie(...) returns an error
  2. trie.NewTrieSyncer(...) returns an error
  3. trieSyncer.StartSyncing(...) returns an error

Why this matters

NumGoRoutinesThrottler is a strict bounded counter:

  func (ngrt *NumGoRoutinesThrottler) CanProcess() bool {
      valCounter := atomic.LoadInt32(&ngrt.counter)
      return valCounter < ngrt.max
  }

  func (ngrt *NumGoRoutinesThrottler) StartProcessing() {
      atomic.AddInt32(&ngrt.counter, 1)
  }

  func (ngrt *NumGoRoutinesThrottler) EndProcessing() {
      atomic.AddInt32(&ngrt.counter, -1)
  }

  Once leaked, a slot remains consumed for the lifetime of that throttler instance.

  The parent loops in both syncers wait for capacity before starting the next account-data trie sync:

  for !u.throttler.CanProcess() {
      select {
      case <-time.After(timeBetweenRetries):
          continue
      case <-ctx.Done():
          return common.ErrTimeIsOut
      }
  }

So after enough failures, further roots stop progressing and the sync operation eventually returns time is out.

Bootstrap impact

Epoch bootstrap uses these syncers directly and aborts on any error:

  err = e.syncUserAccountsState(e.epochStartMeta.Header.TrieRoot)
  if err != nil {
      return nil, nil, err
  }

  err = e.syncKappAccountsState(e.epochStartMeta.Header.KAppsTrieRoot)
  if err != nil {
      return nil, nil, err
  }

The throttlers for these paths are real bounded throttlers created from numConcurrentTrieSyncers.

Proof of Concept

I verified the bug with the real timeout path, not only with a canceled context.

The PoC below uses:

  • a real NumGoRoutinesThrottler with capacity 2
  • a real trieSyncer.StartSyncing()
  • an empty trie-node cache and a request handler that never supplies nodes
  • a short sync timeout (1s) so StartSyncing() returns trie.ErrTimeIsOut

After the first failed sync, one slot remains leaked. After the second failed sync, the throttler is exhausted.

PoC test

  package syncer

  import (
        "context"
        "testing"
        "time"

        commonmock "github.com/klever-io/klever-go/common/mock"
        corethrottler "github.com/klever-io/klever-go/core/throttler"
        "github.com/klever-io/klever-go/data"
        "github.com/klever-io/klever-go/data/trie"
        triestats "github.com/klever-io/klever-go/data/trie/statistics"
        "github.com/stretchr/testify/require"
  )

  func newBaseSyncerForTimeoutPOC(t *testing.T) *baseAccountsSyncer {
        t.Helper()

        storageManager, err := trie.NewTrieStorageManagerWithoutPruning(commonmock.NewMemDbMock())
        require.NoError(t, err)

        return &baseAccountsSyncer{
                hasher:                    commonmock.HasherMock{},
                marshalizer:               &commonmock.MarshalizerMock{},
                trieSyncers:               make(map[string]data.TrieSyncer),
                dataTries:                 make(map[string]data.Trie),
                trieStorageManager:        storageManager,
                requestHandler:            &commonmock.RequestHandlerStub{},
                timeout:                   time.Second,
                cacher:                    commonmock.NewCacherStub(),
                maxTrieLevelInMemory:      5,
                name:                      "timeout-poc",
                maxHardCapForMissingNodes: 1,
        }
  }

  func TestPOC_UserAccountsSyncer_LeaksThrottlerSlotOnTrieTimeout(t *testing.T) {
        thr, err := corethrottler.NewNumGoRoutinesThrottler(2)
        require.NoError(t, err)

        s := &userAccountsSyncer{
                baseAccountsSyncer: newBaseSyncerForTimeoutPOC(t),
                throttler:          thr,
        }

        err = s.syncDataTrie([]byte("missing-root-1"), triestats.NewTrieSyncStatistics(), context.Background())
        require.ErrorIs(t, err, trie.ErrTimeIsOut)
        require.True(t, thr.CanProcess())

        err = s.syncDataTrie([]byte("missing-root-2"), triestats.NewTrieSyncStatistics(), context.Background())
        require.ErrorIs(t, err, trie.ErrTimeIsOut)
        require.False(t, thr.CanProcess())
  }

  func TestPOC_KappAccountsSyncer_LeaksThrottlerSlotOnTrieTimeout(t *testing.T) {
        thr, err := corethrottler.NewNumGoRoutinesThrottler(2)
        require.NoError(t, err)

        s := &kappAccountsSyncer{
                baseAccountsSyncer: newBaseSyncerForTimeoutPOC(t),
                throttler:          thr,
        }

        err = s.syncDataTrie([]byte("missing-root-1"), triestats.NewTrieSyncStatistics(), context.Background())
        require.ErrorIs(t, err, trie.ErrTimeIsOut)
        require.True(t, thr.CanProcess())

        err = s.syncDataTrie([]byte("missing-root-2"), triestats.NewTrieSyncStatistics(), context.Background())
        require.ErrorIs(t, err, trie.ErrTimeIsOut)
        require.False(t, thr.CanProcess())
  }

Command used

  go test ./data/syncer -run 'TestPOC_(User|Kapp)AccountsSyncer_LeaksThrottlerSlotOnTrieTimeout' -count=1

Result

  ok    github.com/klever-io/klever-go/data/syncer      4.005s

This confirms the leak with the real timeout path from trieSyncer.StartSyncing().

Impact

An attacker who can repeatedly cause trie-node sync failures or timeouts during bootstrap can consume the bounded sync throttler until no capacity remains.

Once enough slots are leaked:

  • additional account-data trie sync attempts stop making progress
  • the parent loop waits until context timeout
  • SyncAccounts() fails
  • epoch bootstrap fails

This is a core node availability issue. It affects fresh/restarting nodes and validators that need to bootstrap or resync state.

This is not a theoretical issue:

  • StartSyncing() performs network-dependent trie-node retrieval
  • it already has explicit timeout / failure paths
  • the leaked throttler slots are confirmed by runtime PoC

Recommended Fix

Release the slot with defer immediately after StartProcessing() and cancel the defer only if ownership is intentionally transferred, which is not the case here.

Example fix pattern:

  func (u *userAccountsSyncer) syncDataTrie(rootHash []byte, ssh data.SyncStatisticsHandler, ctx context.Context) error {
      u.throttler.StartProcessing()
      defer u.throttler.EndProcessing()

      u.syncerMutex.Lock()
      defer u.syncerMutex.Unlock()

      if _, ok := u.dataTries[string(rootHash)]; ok {
          return nil
      }

      dataTrie, err := trie.NewTrie(...)
      if err != nil {
          return err
      }

      trieSyncer, err := trie.NewTrieSyncer(arg)
      if err != nil {
          return err
      }

      u.trieSyncers[string(rootHash)] = trieSyncer
      return trieSyncer.StartSyncing(rootHash, ctx)
  }

The same pattern should be applied to:

  • data/syncer/userAccountsSyncer.go
  • data/syncer/kappAccountsSyncer.go

References

  • data/syncer/userAccountsSyncer.go
  • data/syncer/kappAccountsSyncer.go
  • data/trie/sync.go
  • core/throttler/numGoRoutinesThrottler.go
  • core/bootstrap/process.go
  • SECURITY.md

AnalysisAI

Throttler slot exhaustion in klever-go's account-data trie syncer enables unauthenticated remote attackers to permanently consume all NumGoRoutinesThrottler slots by causing repeated trie-node sync failures or timeouts during epoch bootstrap, halting node participation in consensus. Both userAccountsSyncer.syncDataTrie() and kappAccountsSyncer.syncDataTrie() call StartProcessing() but omit EndProcessing() on three distinct error paths, meaning each failed sync permanently leaks one slot for the lifetime of that throttler instance. A runtime proof-of-concept is publicly confirmed in GHSA-fw38-pc54-jvx9 showing that exactly N timeout failures exhaust a capacity-N throttler; no CISA KEV listing exists at time of analysis, but the operational impact on bootstrapping validators is severe.

Technical ContextAI

The affected package is pkg:go/github.com_klever-io_klever-go (all versions < 1.7.18), a Go-based Klever blockchain node implementation. The root cause (CWE-400: Uncontrolled Resource Consumption) is a missing defer pattern around NumGoRoutinesThrottler slot management in data/syncer/userAccountsSyncer.go and data/syncer/kappAccountsSyncer.go. The NumGoRoutinesThrottler (core/throttler/numGoRoutinesThrottler.go) uses atomic int32 operations as a strict bounded concurrency gate: StartProcessing() increments the counter, EndProcessing() decrements it, and CanProcess() blocks when the counter reaches its maximum. In syncDataTrie(), StartProcessing() is called before the trie creation sequence, but EndProcessing() only fires on the success path and the duplicate-root early return - three error exit paths (trie.NewTrie() failure, trie.NewTrieSyncer() failure, and trieSyncer.StartSyncing() timeout) all return without releasing the slot. The parent sync loop in both syncers polls CanProcess() before launching each trie sync; once exhausted, it blocks until context cancellation returns ErrTimeIsOut. The epoch bootstrap path in core/bootstrap/process.go calls these syncers serially and aborts immediately on any error, making throttler exhaustion a complete bootstrap failure.

RemediationAI

Upgrade to klever-go v1.7.18 immediately; release notes at https://github.com/klever-io/klever-go/releases/tag/v1.7.18 confirm this is a coordinated security release closing five remotely-triggerable DoS vulnerabilities with no breaking changes, no configuration changes, and no data migration required relative to v1.7.17. The fix introduces defer u.throttler.EndProcessing() immediately after StartProcessing() in both userAccountsSyncer.syncDataTrie() and kappAccountsSyncer.syncDataTrie(), ensuring the slot is unconditionally released on all exit paths including error returns and timeouts. If an immediate upgrade is not feasible, the most actionable compensating control is to restrict the node's P2P peer list to explicitly trusted, allowlisted peers using the node's peer management configuration, reducing the attacker's ability to induce sync timeouts via eclipse or network partition - note this reduces peer diversity and may slow legitimate state sync. Increasing numConcurrentTrieSyncers raises the number of failures required to exhaust the throttler but does not fix the leak and only delays exploitation. Neither workaround eliminates the vulnerability; upgrade to v1.7.18 is the only complete remediation.

Share

CVE-2026-49343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy