GHSA-xc79-566c-j4qx: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-xc79-566c-j4qx) was identified in the Parallax client affecting versions prior to 0.1.4. The vulnerability was discovered by DongHan Kim through the Ethereum bug bounty program and was disclosed on October 9, 2025, with an update released on October 10, 2025. The issue received a CVSS score of 7.5, indicating high severity (GitHub Advisory).

The vulnerability stems from an integer overflow issue in the Parallax protocol's handling of GetBlockHeadersRequest messages. When processing these messages, the function GetHeadersFrom(number, count uint64) receives a manipulated count parameter that, due to integer overflow, becomes UINT64_MAX. This allows attackers to bypass the maxHeadersServe limitation and request headers from the latest block back to the genesis block (GitHub Advisory).

When exploited, this vulnerability enables an attacker to force a vulnerable node to consume excessive amounts of memory while processing specially crafted p2p messages. The attack impacts system availability, as reflected in the CVSS metrics showing high availability impact while maintaining unchanged scope and requiring no special privileges or user interaction (GitHub Advisory).

The vulnerability has been patched in Parallax client version 0.1.4 and later releases. The fix was implemented through commit f759e90, which added a sanity limit to the header accessor. No alternative workarounds were made public (Parallax Release, GitHub Advisory).