{"id":"GHSA-v5hw-cv9c-rpg7","summary":"libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion","details":"### Summary\nThe rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue `DISCOVER` requests and force unbounded memory growth.\n\n### Details\n\nPagination state is stored in:\n\n```rs\nHashMap\u003cCookie, HashSet\u003cRegistrationId\u003e\u003e\n```\n\nOn `Message::Discover`:\n\n```\nremote peer\n→ DISCOVER\n→ handle_request\n→ registrations.get(...)\n→ new cookie generated\n→ cookie inserted into Registrations::cookies\n```\n\nThere is **no upper bound or eviction policy**, so repeated DISCOVER requests grow this map indefinitely.\n\n\n### PoC\nA reproduction test and minimal harness will be provided in a private fork in a follow-up comment.\n\n### Impact\n\n**Remote state amplification leading to memory exhaustion.**\n\n\nProperties:\n\n- etwork reachable\n- no authentication required\n- low attack complexity\n- protocol-compliant traffic\n\nImpacts rendezvous nodes exposed to untrusted peers.\n---\n\n### Possible Fixes\n\n1. **Global cap + eviction**\n\nBound cookie storage (`MAX_COOKIES_TRACKED`) with FIFO/expiry aware eviction.  \nTradeoff: attacker can churn cookies and evict legitimate pagination state.\n\n2. **Stateless cookies**\n\nEncode pagination state in authenticated cookies instead of storing server-side state.  \nTradeoff: more complex implementation.\n\n3. **Rate limiting / per-peer quotas**\n\nLimit cookie creation per peer.  \nTradeoff: requires peer tracking.","aliases":["CVE-2026-35457"],"modified":"2026-04-07T20:21:43.969674Z","published":"2026-04-04T06:34:29Z","database_specific":{"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2026-04-04T06:34:29Z","nvd_published_at":"2026-04-07T15:17:43Z","cwe_ids":["CWE-770"]},"references":[{"type":"WEB","url":"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35457"},{"type":"PACKAGE","url":"https://github.com/libp2p/rust-libp2p"}],"affected":[{"package":{"name":"libp2p-rendezvous","ecosystem":"crates.io","purl":"pkg:cargo/libp2p-rendezvous"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.17.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v5hw-cv9c-rpg7/GHSA-v5hw-cv9c-rpg7.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}]}