Revofusion

**Name of the Vulnerable Software and Affected Versions** libp2p-rust versions prior to 0.49.3 **Description** The libp2p-rust Gossipsub implementation is susceptible to a remote, unauthenticated denial-of-service condition. The implementation accepts attacker-controlled PRUNE backoff values and performs unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff value, such as `u64::MAX`, can cause a Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This can be exploited by an attacker establishing a libp2p Gossipsub session with a target node by sending a single crafted PRUNE control message. The attack can be repeated by reconnecting and replaying the crafted control message. The **API Endpoint** involved is the Gossipsub stream. The vulnerable parameter is the backoff value within the `ControlPrune` protobuf RPC. **Recommendations** Upgrade to version 0.49.3 or later.

**Name of the Vulnerable Software and Affected Versions** Quinn versions prior to 0.11.14 **Description** A remote, unauthenticated attacker can cause a denial of service in applications using vulnerable Quinn versions by sending a specially crafted QUIC Initial packet containing malformed `quic transport parameters`. The issue occurs because attacker-controlled variable-length integers (varints) are decoded using `unwrap()`, and truncated encodings lead to a panic. This is exploitable over the network with a single packet and requires no prior trust or authentication. **Recommendations** Update to version 0.11.14 or later.

**Name of the Vulnerable Software and Affected Versions** go-ethereum (geth) versions prior to 1.17.0 **Description** A specially crafted p2p message can lead to high memory usage. The issue affects the Ethereum protocol implementation. **Recommendations** Update to version 1.17.0 or later.

**Name of the Vulnerable Software and Affected Versions** Yamux versions 0.13.0 through 0.13.8 **Description** Yamux is a stream multiplexer used over reliable, ordered connections like TCP/IP. A specially crafted `WindowUpdate` can lead to an arithmetic overflow in the send-window accounting, causing a panic in the connection state machine. This is remotely exploitable over a network connection without authentication. The issue involves accepting `WindowUpdate` credit values from a remote peer and applying them to per-stream send-window state. An attacker can establish a Yamux session and crash the target by sending a sequence of frames: opening a stream and then sending a `WindowUpdate` with a large credit value that overflows a u32 integer. This results in a remote, unauthenticated denial of service. **Recommendations** Upgrade to Yamux version 0.13.9.

**Name of the Vulnerable Software and Affected Versions** Yamux versions prior to 0.13.10 **Description** Yamux is a stream multiplexer operating over reliable, ordered connections like TCP/IP. The Rust implementation of Yamux, before version 0.13.10, is susceptible to a panic when processing a specifically crafted inbound Data frame. This frame sets the SYN flag and utilizes a body length exceeding the DEFAULT CREDIT value (for example, 262145). During the initial packet of a new inbound stream, stream state is created and a receiver is queued before the validation of the oversized body completes. If validation fails, the temporary stream is dropped, and the cleanup process may call `remove(...).expect("stream not found")`, which triggers a panic within the connection state machine. This issue is remotely exploitable through a standard Yamux session without requiring authentication. The vulnerability occurs because stream state is created and a receiver is queued before oversized-body validation is complete. **Recommendations** Versions prior to 0.13.10 should be upgraded to version 0.13.10.