{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/klever-go/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["klever-go"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","decompression-bomb","klever-go"],"_cs_type":"threat","_cs_vendors":["klever-io"],"content_html":"\u003cp\u003eKlever-Go\u0026rsquo;s \u003ccode\u003eMultiDataInterceptor\u003c/code\u003e is vulnerable to a denial-of-service attack stemming from uncontrolled decompression within the \u003ccode\u003eBatch.Decompress\u003c/code\u003e function. This flaw allows any peer on a topic served by \u003ccode\u003eMultiDataInterceptor\u003c/code\u003e to trigger multi-gigabyte heap allocations on the receiving node through a sub-50 KiB gossip payload. A single malicious packet can OOM-kill a validator with standard memory provisioning, potentially halting chain liveness. Discovered during an internal security review, the vulnerability affects \u003ccode\u003ecore/process/interceptors/multiDataInterceptor.go\u003c/code\u003e at commit \u003ccode\u003e405d01b0abbf0d3e73b4a990bd7394a01f200dc2\u003c/code\u003e. It\u0026rsquo;s distinct from the \u003ccode\u003eGHSA-74m6-4hjp-7226\u003c/code\u003e throttler-slot-leak issue but resides in adjacent code within the same call path. The attack leverages the lack of size validation during decompression, enabling attackers to send small, compressed payloads that expand into enormous data structures in memory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious compressed payload. This payload is designed to decompress into an extremely large data structure, such as a \u003ccode\u003eBatch\u003c/code\u003e containing millions of entries.\u003c/li\u003e\n\u003cli\u003eThe malicious payload is sent to a Klever-Go node participating in a topic served by \u003ccode\u003eMultiDataInterceptor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMultiDataInterceptor.ProcessReceivedMessage\u003c/code\u003e function receives the gossip message.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003eProcessReceivedMessage\u003c/code\u003e, the \u003ccode\u003eb.Decompress\u003c/code\u003e function is called on the received batch data, as the \u003ccode\u003eIsCompressed\u003c/code\u003e flag is set.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eBatch.Decompress\u003c/code\u003e calls \u003ccode\u003edecompressGzip\u003c/code\u003e which uses \u003ccode\u003eio.ReadAll\u003c/code\u003e without any size limits, leading to an unbounded memory allocation based on the compressed data.\u003c/li\u003e\n\u003cli\u003eAfter successful decompression, \u003ccode\u003eDecompress\u003c/code\u003e attempts to unmarshal the inflated bytes back into a \u003ccode\u003eBatch\u003c/code\u003e structure, again without any size constraints.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled \u003ccode\u003eDataSize\u003c/code\u003e field is not validated, allowing a small compressed packet to expand into a huge memory allocation.\u003c/li\u003e\n\u003cli\u003eThe memory allocation leads to an out-of-memory (OOM) condition, crashing the Klever-Go node and disrupting chain liveness.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition on Klever-Go nodes. A single, crafted packet is sufficient to exhaust the memory resources of a validator, leading to its crash. This can impact chain liveness and availability, potentially affecting the entire network if multiple validators are targeted. The low payload size coupled with high amplification makes it easy for attackers to disrupt Klever-Go networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch that remediates the vulnerability in \u003ccode\u003edata/batch/batch.go\u003c/code\u003e and \u003ccode\u003ecore/process/interceptors/multiDataInterceptor.go\u003c/code\u003e as outlined in \u003ca href=\"https://github.com/advisories/GHSA-87m7-qffr-542v\"\u003eGHSA-87m7-qffr-542v\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for abnormally large compressed payloads being sent to Klever-Go nodes using the rules provided below.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and size validation on incoming gossip messages to mitigate the impact of similar decompression-based attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T01:37:17Z","date_published":"2026-05-13T01:37:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-klever-go-oom/","summary":"Klever-Go's MultiDataInterceptor is vulnerable to a remote denial-of-service (DoS) attack. By sending a crafted compressed P2P payload, an unauthenticated attacker can trigger excessive memory allocation on the receiving node, leading to an out-of-memory (OOM) condition and potentially disrupting chain liveness.","title":"Klever-Go MultiDataInterceptor Remote OOM via Compressed Payload","url":"https://feed.craftedsignal.io/briefs/2026-05-klever-go-oom/"}],"language":"en","title":"CraftedSignal Threat Feed — Klever-Go","version":"https://jsonfeed.org/version/1.1"}