CVE-2025-47270

Name of the Vulnerable Software and Affected Versions nimiq/core-rs-albatross versions prior to 1.1.0

Description The issue is related to uncontrolled memory allocation in the nimiq-network-libp2p subcrate of nimiq/core-rs-albatross, which can lead to a Denial of Service (DoS) attack. Specifically, the implementation of the Discovery network message handling allocates a buffer based on a length value provided by the peer, without enforcing an upper bound. A peer can trigger allocations of up to 4 GB, potentially leading to memory exhaustion and node crashes. As Discovery messages are regularly exchanged for peer discovery, this issue can be exploited repeatedly.

Recommendations For versions prior to 1.1.0, update to version 1.1.0, which implements a limit to the discovery message size of 1 MB and also resizes the message buffer size incrementally as the data is read. As a temporary workaround, consider restricting the Discovery message handling to minimize the risk of exploitation.