libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

Description

Summary

The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.

Details

Pagination state is stored in:

HashMap<Cookie, HashSet<RegistrationId>>

On Message::Discover:

remote peer
→ DISCOVER
→ handle_request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookies

There is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.

PoC

A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.

Impact

Remote state amplification leading to memory exhaustion.

Properties:

  • etwork reachable
  • no authentication required
  • low attack complexity
  • protocol-compliant traffic

Impacts rendezvous nodes exposed to untrusted peers.

Possible Fixes

  1. Global cap + eviction

Bound cookie storage (MAX_COOKIES_TRACKED) with FIFO/expiry aware eviction.
Tradeoff: attacker can churn cookies and evict legitimate pagination state.

  1. Stateless cookies

Encode pagination state in authenticated cookies instead of storing server-side state.
Tradeoff: more complex implementation.

  1. Rate limiting / per-peer quotas

Limit cookie creation per peer.
Tradeoff: requires peer tracking.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-04 06:34:29 UTC
Updated
2026-04-07 19:59:52 UTC
GitHub reviewed
2026-04-04 06:34:29 UTC
NVD published
2026-04-07

EPSS Score

Score Percentile
0.05% 16.41%

CVSS Scores

Base score Version Severity Vector
8.2 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-770 Allocation of Resources Without Limits or Throttling

Credits

  • failuresmith (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust libp2p-rendezvous < 0.17.1 0.17.1

References

cvelogic Threat Intelligence