Emmanuel Ouanounou

**Name of the Vulnerable Software and Affected Versions** ChirpStack Network Server version 3.9.0 **Description** The issue is related to an inaccurate frame deduplication process, allowing a malicious gateway to perform an uplink Denial of Service via malformed frequency attributes in the `CollectAndCallOnceCollect` function in `internal/uplink/collect.go`. The vendor notes that there are no guarantees of network security when allowing untrusted LoRa gateways to the network. **Recommendations** For ChirpStack Network Server version 3.9.0, consider restricting access to untrusted LoRa gateways to minimize the risk of exploitation. As a temporary workaround, consider disabling the `CollectAndCallOnceCollect` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.