DOS vulnerability in /tx_search RPC endpoint #1387
Comments
|
Hi @mrlp4 thanks for reporting the issue. We understand that this issue can impact the stability and performance of CometBFT nodes, and we are actively working to address it. Some quick suggestions:
For a more long-term solution, we are working on - ADR 102 The ADR focuses on - Resource Offloading, Scalability, and Minimal Effort Integration |
|
To follow up on Ali's comment, we have merged an implementation of ADR-101 #82. This is an API which allows users to extract data from Comet via gRPC , build their custom indexing and querying scheme and instruct Comet to prune this data from the full nodes. ADR-102 is an example companion that should use this API. But users are not constrained to using this particular application. |
|
Thank you for bringing this to our attention, @mrlp4. As we have previously mentioned, this is a known issue that has been reported multiple times over the years. While we understand the concerns that this may cause for public nodes, we are confident that the secure operator's default setup ensures that this issue poses no threat to the chain's consensus or liveness. While we understand there's a concern with bringing down publicly available nodes, most of them are nodes set up to provide data to users on a best-effort basis, like the ones in Cosmos Directory. From a consensus standpoint, validators don't expose their validating nodes to the public internet (mainly the RPC endpoint), and indexing services (e.g., block explorers) also maintain their nodes and keep them private. As @jmalicevic mentioned, our goal is to make available the features that will allow the creation of Data Companions (ADR-101), which can offload indexing to external nodes, and these will be able to better index and serve the data. There are other things that they can do to mitigate some of the risk. For example, these public nodes can use a reverse proxy where they don't expose some particular endpoints related to the indexing, such as We understand that this is not the final solution. The Data Companion route will be the best solution in the future for publicly available nodes. In the meantime, until the Data Companion is not fully functional, we will investigate this further to see if there's a way to mitigate this issue without causing any breaking changes or that would require a lot of effort. |
|
reverse proxy (nginx) could block uri-over-http ( but could not block jsonrpc-over-http: I have to write a custom proxy/gateway. |
|
Closing as hopefully the issue was resolved with the suggestions above. In case it still poses as a vulnerability, please reopen (or submit a hacker1 report). |
Uh oh!
There was an error while loading. Please reload this page.
Summary
RPC query
/tx_search?query=tx.height>1&prove=truetriggers enormous RAM utilization in cometbft \ tendermint node, which triggers oom killer and node restart.Tested and confirmed with various cometbft versions (up to v0.37.2) and tendermint (at least v0.34.21).
Details & PoC
query to RPC
http://127.0.0.1:26657/tx_search?query=tx.height>1&prove=truetriggers complete RAM utilization and oom-kill for node process by system.Impact
Most of the RPC endpoints, including many listed in chain-registry are vulnerable.
tbn: only heavy-state nodes are affected, pruned one's react with short RAM spikes only.
Similar behavior but for another endpoint as been described in issue 517
The text was updated successfully, but these errors were encountered: