Skip to content

Commit da719ff

Browse files
1 parent 163501f commit da719ff

1 file changed

Lines changed: 61 additions & 0 deletions

File tree

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-w342-mj6g-v9c4",
4+
"modified": "2026-06-05T15:27:42Z",
5+
"published": "2026-06-05T15:27:42Z",
6+
"aliases": [
7+
"CVE-2026-47249"
8+
],
9+
"summary": "Klever-Go KVM: Hash-array amplification in P2P resolver request handling",
10+
"details": "### Summary\nA connected peer can send a compressed `RequestDataType_HashArrayType` direct request that is only `442` bytes on the wire but expands into `200000` decoded hash entries inside the resolver path. On `klever-go` `v1.7.17`, this allows remote memory and CPU amplification against nodes that accept P2P peer connections.\n\n### Details\nResolver antiflood logic accounts only one logical message and the compressed wire size in `data/retriever/resolvers/messageProcessor.go#L30`.\n\n`Batch.Decompress()` in `data/batch/batch.go#L122` enforces an inflated byte cap but does not enforce a decoded repeated-field item cap. After decompression, `TxResolver` preallocates and iterates all decoded hashes in `data/retriever/resolvers/transactionResolver.go#L194`, and `TrieNodeResolver` iterates the same unchecked decoded set in `data/retriever/resolvers/trieNodeResolver.go#L108`.\n\nPinned references:\n- https://github.com/klever-io/klever-go/blob/333f6ec910906e227705fc5767dc897d8fbfc862/data/retriever/resolvers/messageProcessor.go#L30\n- https://github.com/klever-io/klever-go/blob/333f6ec910906e227705fc5767dc897d8fbfc862/data/batch/batch.go#L122\n- https://github.com/klever-io/klever-go/blob/333f6ec910906e227705fc5767dc897d8fbfc862/data/retriever/resolvers/transactionResolver.go#L194\n- https://github.com/klever-io/klever-go/blob/333f6ec910906e227705fc5767dc897d8fbfc862/data/retriever/resolvers/trieNodeResolver.go#L108\n\nThis appears distinct from the public `CVE-2026-44697` / `GHSA-87m7-qffr-542v`, which covered `MultiDataInterceptor` compressed batch fan-in. This report concerns resolver request paths that remain reachable through real libp2p direct-send plumbing on `v1.7.17`.\n\n### PoC\nReproduced with:\n\n```bash\ngo run auditpoc/request_batch_hash_amplification_poc.go\ngo test github.com/klever-io/klever-go/auditpoc -run TestRequestBatchHashAmplification_DirectSendReachability -count=1\n```\n\nObserved output:\n\n```text\nrequest wire bytes: 442\nfits direct-send limit (983040 bytes): true\ntx resolver lookups: 200000\ntrie resolver lookups: 200000\nheap delta before first tx lookup: 17.47 MiB\nok github.com/klever-io/klever-go/auditpoc\n```\n\nThe E2E harness registers the victim resolver on the request topic and sends the malicious payload through `SendToConnectedPeer()` to prove the work amplification survives the real direct-send path.\n\n### Impact\nA connected peer can convert a sub-kilobyte request into large decode-time memory pressure and synchronous CPU work on the target node. Repeated requests or several concurrent peers can degrade or exhaust validator resources, affecting node availability.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/klever-io/klever-go"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.7.18"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/klever-io/klever-go/security/advisories/GHSA-w342-mj6g-v9c4"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/klever-io/klever-go"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/klever-io/klever-go/releases/tag/v1.7.18"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-400"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-05T15:27:42Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)