+ "details": "### Summary\nfound that `libp2p-rendezvous` server has no limit on how many namespaces a single peer can register. a malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed.\n\nno auth required. any peer on the network can do this.\n\n\n\n### Details\n\nthe bug is in `Registrations::add()` inside `protocols/rendezvous/src/server.rs`.\n\nthe store uses a BiMap keyed on `(PeerId, Namespace)` so yes, a peer can't register the *same* namespace twice. but there's nothing stopping it from registering 10,000 *different* namespaces. each unique one gets its own entry in:\n\n- `registrations_for_peer` (BiMap)\n- `registrations` (HashMap)\n- `next_expiry` (FuturesUnordered a new heap-allocated BoxFuture per registration)\n\nnamespace strings are only validated for length (`MAX_NAMESPACE = 255`), not count. there's no `max_registrations_per_peer` anywhere in `Config` or the rest of the codebase.\n\nmaking it worse `MAX_TTL = 72 hours`. so every registration just sits there for up to 3 days. disconnecting doesn't clean anything up either, entries only go away when the TTL fires.\n\n```\nprotocols/rendezvous/src/server.rs\n └── Registrations::add() ← no per-peer count check anywhere\n\nprotocols/rendezvous/src/lib.rs\n ├── MAX_NAMESPACE = 255 ← length capped, count is not\n └── MAX_TTL = 72h ← entries persist a long time\n```\n\nfix would be adding something like `max_registrations_per_peer` to `Config` and checking it at the top of `add()` before inserting anything.\n\n\n\n### PoC\n\ntested on `libp2p v0.56.1`, built from source.\n\n**step 1** - start the rendezvous server (uses the example from the repo):\n```bash\ncargo run --manifest-path examples/rendezvous/Cargo.toml --bin rendezvous-example\n```\n\n**step 2** - run the flood client (attached as `rzv-flood.rs`):\n```bash\ncargo run --manifest-path examples/rendezvous/Cargo.toml --bin rzv-flood\n```\n\nit connects as a single peer and registers 10,000 unique namespaces (`flood-00000000` through `flood-00009999`), chaining each registration on the confirmed `Registered` event from the previous one.\n\nserver accepted every single one. not one rejection.\n\nmemory on the server side (via `ps aux` RSS column):\n\n```\nbaseline: ~18 MB\nmid flood: ~26 MB \nafter 10k regs: ~28 MB\n```\n\nthat's from one peer. scale to 100 sybil peers doing the same thing and you're looking at ~1GB. 1000 peers and the server is dead.\n\n<img width=\"1032\" height=\"124\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f778f179-2aa1-4485-940c-25e218733fa8\" />\n\n*server RSS climbing during the flood*\n\n<img width=\"553\" height=\"760\" alt=\"image\" src=\"https://github.com/user-attachments/assets/691b0f52-dda0-443f-a3c2-98c8c6336f2f\" />\n\n*10,000 registrations confirmed, zero rejected*\n\n\n\n### Impact\n\nany node running libp2p-rendezvous server-side is affected. rendezvous servers are typically well-known, publicly reachable nodes taking one down disrupts peer discovery for all clients depending on it. any rust-libp2p based project that deploys a rendezvous point is at risk.\n\nno special position on the network needed. no crypto work. just open a connection and send REGISTER in a loop.\n\n## **Researchers**\n\n**Discovered by:**\n- Ramesh Adhikari (CoE-CNDS Lab, VJTI, Mumbai, India)\n- Dr. Faruk Kazi (CoE-CNDS Lab, VJTI, Mumbai, India)\n\n\n\n**Organization:** Centre of Excellence in Complex & Nonlinear Dynamical Systems (CoE-CNDS Lab), Veermata Jijabai Technological Institute (VJTI), Mumbai, India\n\n---\n\nWe have not disclosed this to any other vendor or made it public. We are reporting directly to the [rust-libp2p](https://github.com/libp2p/rust-libp2p) security team through this advisory.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments