js-libp2p: Memory DoS via subscription flood of unique topics

Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity packages/gossipsub/src/message/decodeRpc.ts:11: no decode-level cap on...

Denial Of Service (DoS)

msgpack is vulnerable to denial of service. The default decode limits is too large, which will allow an attacker to deplete available resource and cause the process to crash...