PT-2026-30338 · Unknown · Libp2P-Rendezvous
Failuresmith
·
Published
2026-04-02
·
Updated
2026-04-07
·
CVE-2026-35457
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:C |
Name of the Vulnerable Software and Affected Versions
libp2p-rendezvous (affected versions not specified)
Description
The rendezvous server stores pagination cookies without bounds, leading to unbounded memory growth. An unauthenticated peer can repeatedly issue
DISCOVER requests to exploit this issue. The vulnerability results in remote state amplification and potential memory exhaustion. The affected component uses a HashMap<Cookie, HashSet<RegistrationId>> to store pagination state. The handle request function processes Message::Discover requests, generating new cookies and inserting them into the Registrations::cookies map without any upper bound or eviction policy. This allows an attacker to repeatedly request discovery, causing the map to grow indefinitely. The vulnerability is network reachable, requires no authentication, has low attack complexity, and uses protocol-compliant traffic.Recommendations
- Implement a global cap and eviction policy, bounding cookie storage with a
MAX COOKIES TRACKEDlimit and using FIFO or expiry-aware eviction. - Encode pagination state in authenticated cookies instead of storing server-side state.
- Implement rate limiting or per-peer quotas to limit cookie creation per peer.
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Libp2P-Rendezvous