CVE-2026-34062
Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
| CWE | CWE-770 |
| Vendor | nimiq |
| Product | network-libp2p |
| Published | Apr 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for nimiq network-libp2p
Be the first to know when new medium vulnerabilities affecting nimiq network-libp2p are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
nimiq / network-libp2p
< 1.3.0