Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, MessageCodec::read_request and read_response call read_to_end() on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because Behaviour::new also sets with_max_concurrent_streams(1000), the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
AnalysisAI
Denial of service in nimiq-libp2p prior to version 1.3.0 allows remote peers to exhaust node resources by sending partial frames on inbound substreams and keeping them open. The vulnerability combines unbounded stream reading via read_to_end() with a high concurrent stream limit of 1000, enabling attackers to accumulate stalled slots and degrade network availability without authentication or user interaction.
Technical ContextAI
nimiq-libp2p is a Rust-based networking library implementing the Nimiq blockchain protocol atop libp2p. The vulnerability exists in the MessageCodec implementation, specifically in the read_request() and read_response() methods, which call read_to_end() on inbound substreams. This design flaw means the codec will block indefinitely waiting for stream closure when a peer sends a partial frame without completing the transmission. The Behaviour::new() constructor exacerbates this by setting with_max_concurrent_streams(1000), far exceeding libp2p's default concurrency limits. Under CWE-770 (Allocation of Resources Without Limits or Throttling), this allows attackers to accumulate many partially-read streams, consuming connection state and memory until the node becomes unresponsive.
RemediationAI
Upgrade nimiq-libp2p to version 1.3.0 or later immediately. The vendor-released patch (commit c021a5337b808c73571b44999f9753051bac7508, tagged as v1.3.0) fixes the unbounded stream reading and concurrent stream limits. Update Cargo.toml or equivalent package manifest to pin nimiq-libp2p >= 1.3.0 and run cargo update. No workarounds are available per the vendor advisory; patching is the only mitigation. Network operators should prioritize this update to prevent exploitation by peers on the Nimiq network.
More in Network Libp2P
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25056