Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response

nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

不加限制或调节的资源分配

Nimiq 安全漏洞

Nimiq是Nimiq开源的一个Albatross协议的Rust实现。 Nimiq 1.3.0之前版本存在安全漏洞，该漏洞源于nimiq-libp2p中MessageCodec::read_request和read_response在入站子流上调用read_to_end，因此远程对等方可以仅发送部分帧并保持子流打开。由于Behaviour::new还设置了with_max_concurrent_streams(1000)，节点暴露的停滞槽预算远大于库默认值。

N/A

N/A