The vulnerability exists in the libp2p networking stack used by Nimiq, specifically in the MessageCodec::read_request and read_response functions. These functions call read_to_end() on inbound substreams, allowing a remote peer to send only part of a frame and then keep the substream open. Because the protocol permits a large number of concurrent streams (with_max_concurrent_streams set to 1000), the node can end up with many stalled substreams that consume memory and other resources. This is a classic allocation of resources without limits or throttling flaw (CWE-770) that can lead to a denial of service if an attacker exhausts the node's capacity.

Vendors affected are Nimiq’s network-libp2p implementation. The flaw exists in all releases before v1.3.0 of the libp2p package. Any Nimiq node running a pre-1.3.0 version of the network-libp2p crate is potentially vulnerable and can be targeted by an external peer that can establish a libp2p connection to the node.

The CVSS score of 5.3 indicates a moderate severity, and no EPSS score is currently available. The vulnerability is not listed in CISA’s KEV catalog, suggesting it is not yet actively exploited in the wild. However, exploitation requires only a remote communication channel via the libp2p protocol, which is typically open to public peers. An attacker can create many partially transmitted frames to keep substreams open, thereby exhausting memory and causing the node to become unresponsive or crash. The lack of throttling or resource limits increases the feasibility and potential impact of such an attack.