{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/libp2p/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libp2p","rendezvous","denial-of-service"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003elibp2p-rendezvous\u003c/code\u003e server prior to version 0.17.1 is susceptible to a denial-of-service (DoS) attack. An attacker can exploit the lack of limitations on namespace registrations per peer. By repeatedly registering unique namespaces, the server allocates memory without restriction, leading to an out-of-memory (OOM) crash. This vulnerability requires no authentication, allowing any peer on the network to initiate the attack. The issue stems from the \u003ccode\u003eRegistrations::add()\u003c/code\u003e function in \u003ccode\u003eprotocols/rendezvous/src/server.rs\u003c/code\u003e, which does not enforce a maximum number of registrations per peer. The \u003ccode\u003eMAX_TTL\u003c/code\u003e of 72 hours exacerbates the problem, as registrations persist for up to three days even if the peer disconnects.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker connects to a publicly accessible \u003ccode\u003elibp2p-rendezvous\u003c/code\u003e server.\u003c/li\u003e\n\u003cli\u003eAttacker sends a REGISTER request to the server for a unique namespace.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s \u003ccode\u003eRegistrations::add()\u003c/code\u003e function processes the request and adds the namespace to its internal data structures (\u003ccode\u003eregistrations_for_peer\u003c/code\u003e, \u003ccode\u003eregistrations\u003c/code\u003e, \u003ccode\u003enext_expiry\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2 and 3 in a loop, registering thousands of unique namespaces.\u003c/li\u003e\n\u003cli\u003eThe server continues to allocate memory for each namespace registration.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003eMAX_TTL\u003c/code\u003e of 72 hours, previously registered namespaces are not removed from memory.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s memory consumption increases steadily with each registered namespace.\u003c/li\u003e\n\u003cli\u003eThe server process eventually exhausts available memory (OOM) and crashes, disrupting peer discovery services for legitimate clients.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, making the \u003ccode\u003elibp2p-rendezvous\u003c/code\u003e server unavailable. Any rust-libp2p based project that deploys a rendezvous point is at risk. Since rendezvous servers are often well-known and publicly reachable, their downtime disrupts peer discovery for all clients relying on them. The impact scales with the number of attacking peers, requiring only a single connection and REGISTER requests to achieve the DoS. The affected package is \u003ccode\u003erust/libp2p-rendezvous\u003c/code\u003e versions prior to 0.17.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003erust/libp2p-rendezvous\u003c/code\u003e version 0.17.1 or later to patch CVE-2026-35405.\u003c/li\u003e\n\u003cli\u003eMonitor resource utilization (CPU, memory) of \u003ccode\u003elibp2p-rendezvous\u003c/code\u003e server processes to detect anomalous spikes indicative of a DoS attack.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on namespace registration requests from individual peers in the application layer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T06:33:46Z","date_published":"2026-04-04T06:33:46Z","id":"/briefs/2026-04-libp2p-rendezvous-dos/","summary":"A vulnerable libp2p-rendezvous server can be crashed via a denial-of-service attack where an unauthenticated peer registers unlimited namespaces, leading to memory exhaustion.","title":"libp2p-rendezvous Unlimited Namespace Registration DoS","url":"https://feed.craftedsignal.io/briefs/2026-04-libp2p-rendezvous-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libp2p","gossipsub","denial-of-service","integer overflow","rust"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Rust libp2p Gossipsub implementation, a peer-to-peer networking library, is susceptible to a remote denial-of-service (DoS) vulnerability. This flaw resides in the handling of \u003ccode\u003ebackoff\u003c/code\u003e expiry during heartbeat processing. By sending a specially crafted \u003ccode\u003ePRUNE\u003c/code\u003e control message containing an attacker-controlled, near-maximum \u003ccode\u003ebackoff\u003c/code\u003e value, a remote, unauthenticated peer can trigger an integer overflow. This overflow occurs when the implementation performs unchecked addition of the \u003ccode\u003ebackoff_time\u003c/code\u003e and a \u003ccode\u003eslack\u003c/code\u003e value. This vulnerability affects applications using libp2p-gossipsub versions prior to 0.49.4 and is distinct from CVE-2026-33040, which addressed overflow during backoff insertion. This report highlights a distinct secondary overflow path in heartbeat expiry handling that remained exploitable even after the initial insertion-side hardening. The vulnerability was reported by the Security team of the Ethereum Foundation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a standard libp2p session with a target node using \u003ccode\u003eTCP + Noise\u003c/code\u003e for encryption.\u003c/li\u003e\n\u003cli\u003eThe attacker negotiates a stream multiplexer protocol such as \u003ccode\u003emplex\u003c/code\u003e or \u003ccode\u003eyamux\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a Gossipsub stream with the target node to initiate communication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an RPC (Remote Procedure Call) containing a \u003ccode\u003eControlPrune\u003c/code\u003e message.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eControlPrune\u003c/code\u003e message includes a crafted \u003ccode\u003ebackoff\u003c/code\u003e value set near the maximum representable value for an i64 integer (e.g., \u003ccode\u003e9223372036854674580\u003c/code\u003e). The attacker chooses this value relative to the victim\u0026rsquo;s uptime.\u003c/li\u003e\n\u003cli\u003eThe target node parses the \u003ccode\u003ebackoff\u003c/code\u003e value from the protobuf message and processes it using \u003ccode\u003eBehaviour::handle_prune()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebackoff\u003c/code\u003e value is stored after a checked addition to ensure it\u0026rsquo;s valid, however the near-maximum value is still retained.\u003c/li\u003e\n\u003cli\u003eOn the next heartbeat, the node attempts to calculate the expiry time by adding a \u003ccode\u003eslack\u003c/code\u003e value to the stored \u003ccode\u003ebackoff_time\u003c/code\u003e using unchecked addition, which results in an integer overflow, causing a panic and crashing the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in a remote, unauthenticated denial of service. Any application exposing an affected \u003ccode\u003elibp2p-gossipsub\u003c/code\u003e listener can be crashed by a network-reachable peer. The crash occurs during heartbeat processing, not immediately upon receiving the \u003ccode\u003ePRUNE\u003c/code\u003e message. The attack can be repeated by reconnecting to the target and replaying the crafted \u003ccode\u003ePRUNE\u003c/code\u003e message. This could lead to service disruptions and potential data loss if the application does not handle crashes gracefully. The number of potential victims is significant, encompassing any application utilizing vulnerable versions of the \u003ccode\u003elibp2p-gossipsub\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003elibp2p-gossipsub\u003c/code\u003e dependency to version 0.49.4 or later to patch the unchecked arithmetic operation that causes the overflow.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect libp2p Gossipsub PRUNE with Large Backoff\u0026rdquo; to identify potential exploitation attempts by monitoring network traffic for unusually large \u003ccode\u003ebackoff\u003c/code\u003e values in \u003ccode\u003ePRUNE\u003c/code\u003e messages.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging to capture details of libp2p sessions and identify potential malicious peers attempting to exploit this vulnerability (logsource: network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T13:04:03Z","date_published":"2026-03-30T13:04:03Z","id":"/briefs/2026-03-libp2p-gossipsub-dos/","summary":"A remote, unauthenticated attacker can crash applications using libp2p-gossipsub versions prior to 0.49.4 by sending a crafted PRUNE control message with a near-maximum backoff value, causing an arithmetic overflow during heartbeat processing.","title":"libp2p-gossipsub Remote Denial of Service via Integer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-03-libp2p-gossipsub-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Libp2p","version":"https://jsonfeed.org/version/1.1"}