This is a security vulnerability.
Though we have a detection for block download stalling in SendMessages() of src/main.cpp at line 6380, the timeout for header sync remain unchecked.
This check should be also added to the SendMessages() function, and disconnect the stalling peer after timeout.
Similar fix from Bitcoin: bitcoin/bitcoin@76f7481.
Reported by 6004ed5feaa31ae9df36b5dbc60f0fa53255a5fb734334082c6d202405fc738c.