Posts tagged advisory.
How unauthenticated simulateTransaction requests saturate an Agave RPC node's executor pool
Agave runs the simulateTransaction handler synchronously on its shared Tokio executor threads, so unauthenticated, gas-free simulate requests pin those workers and add queue latency across the validator's entire JSON-RPC tier — not just the simulate path.
How CometBFT's SecretConnection handshake spends CPU before authenticating the peer
CometBFT completes the full SecretConnection STS handshake — an X25519 Diffie–Hellman exchange and an Ed25519 signature verification — for any connecting peer before checking whether that peer's node-ID is allowlisted, so an unauthenticated remote source can spend the node's asymmetric-crypto budget at will.
How unbounded HTTP/2 concurrent streams let one TCP connection OOM-kill an IOTA node's public gRPC server
An IOTA node's public gRPC server accepts an unbounded number of concurrent HTTP/2 streams on a single TCP connection, so one client multiplexing around 200 concurrent GetTransactions calls drives resident memory from a few hundred MB to multiple GB in about 10 seconds until the kernel OOM-killer terminates the node.
How an unauthenticated TLS half-open flood pins rippled's memory and crashes it under low file-descriptor limits
rippled's inbound TLS listeners on the peer port (51235) and the RPC-HTTPS port (5006) accept a partial TLS handshake with no deadline and no per-IP half-open cap, so a single source IP can pin server memory indefinitely and, at a default file-descriptor limit, crash the process.
Eighteen advisories, ten node implementations, one attack class
Since NR-2026-001, eighteen advisories across ten independent node implementations. Not unrelated bugs: one recurring attack class, unauthenticated ingress surfaces where a cheap request forces disproportionate cost. Egress and memory amplification, pre-auth CPU exhaustion, connection exhaustion, and crashes.
NR-2026-001 - Three Agave RPC architectural findings
Three architectural findings in the Agave JSON-RPC layer at v3.1.9: response amplification on getMultipleAccounts, Tokio executor saturation via simulateTransaction, and spawn_blocking pool saturation via getProgramAccounts. Architectural patterns, not rate-limit DoS - operator rate limits don't close them.
