GHSA-v5hw-cv9c-rpg7

Suggest an improvement
Source
https://github.com/advisories/GHSA-v5hw-cv9c-rpg7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v5hw-cv9c-rpg7/GHSA-v5hw-cv9c-rpg7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v5hw-cv9c-rpg7
Aliases
  • CVE-2026-35457
Published
2026-04-04T06:34:29Z
Modified
2026-04-07T20:21:43.969674Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
Details

Summary

The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.

Details

Pagination state is stored in:

HashMap<Cookie, HashSet<RegistrationId>>

On Message::Discover:

remote peer
→ DISCOVER
→ handle_request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookies

There is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.

PoC

A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.

Impact

Remote state amplification leading to memory exhaustion.

Properties:

  • etwork reachable
  • no authentication required
  • low attack complexity
  • protocol-compliant traffic

Impacts rendezvous nodes exposed to untrusted peers.

Possible Fixes

  1. Global cap + eviction

Bound cookie storage (MAX_COOKIES_TRACKED) with FIFO/expiry aware eviction.
Tradeoff: attacker can churn cookies and evict legitimate pagination state.

  1. Stateless cookies

Encode pagination state in authenticated cookies instead of storing server-side state.
Tradeoff: more complex implementation.

  1. Rate limiting / per-peer quotas

Limit cookie creation per peer.
Tradeoff: requires peer tracking.

Database specific 
{
    "nvd_published_at": "2026-04-07T15:17:43Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed_at": "2026-04-04T06:34:29Z"
}
References

Affected packages

crates.io / libp2p-rendezvous

Package

Name
libp2p-rendezvous
View open source insights on deps.dev
Purl
pkg:cargo/libp2p-rendezvous

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.17.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v5hw-cv9c-rpg7/GHSA-v5hw-cv9c-rpg7.json"