The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.
Pagination state is stored in:
HashMap<Cookie, HashSet<RegistrationId>>
On Message::Discover:
remote peer
→ DISCOVER
→ handle_request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookies
There is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.
A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.
Remote state amplification leading to memory exhaustion.
Properties:
Bound cookie storage (MAX_COOKIES_TRACKED) with FIFO/expiry aware eviction.
Tradeoff: attacker can churn cookies and evict legitimate pagination state.
Encode pagination state in authenticated cookies instead of storing server-side state.
Tradeoff: more complex implementation.
Limit cookie creation per peer.
Tradeoff: requires peer tracking.
| Score | Percentile |
|---|---|
| 0.05% | 16.41% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.2 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-v5hw-cv9c-rpg7 ↗ |
| CVE | CVE-2026-35457 ↗ |
| CWE id | Name |
|---|---|
| CWE-770 | Allocation of Resources Without Limits or Throttling |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| rust | libp2p-rendezvous | < 0.17.1 | 0.17.1 | — |