GHSA-mw3q-r9wh-h2ffHighCVSS 7.5

nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item

Published
May 21, 2026
Last Modified
May 21, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

A remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).

A malicious peer can respond to a RequestChunk with a ResponseChunk::Chunk whose first TrieItem.key is the empty (ROOT) key. The chunk passes sorting, range, and Merkle-proof validation, but when put_raw tries to store a value at the root node, it calls TrieNode::put_value(...).unwrap(), which returns Err(RootCantHaveValue) and panics, aborting the node process. The panic fires on the first malicious chunk the victim commits; no rate limit or authentication gate caps the attack.

Impacted: any node running state sync against untrusted peers — this includes fresh nodes performing initial download and existing nodes recovering from data loss. Honest nodes never construct ROOT-keyed items, so non-syncing operation is unaffected.

Patches

See PR.

Workarounds

There is no safe in-process workaround: any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag.

Resources

  • Fix commit: (link to the merged PR commit, once merged)
  • Affected code: primitives/trie/src/trie.rsput_chunk (around line 819) and put_raw (around line 351)

🎯 Affected products1

  • rust/nimiq-primitives:< 1.5.0

🔗 References (5)