52 matches found
CVE-2026-46679
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...
CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...
CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...
EUVD-2026-36152
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...
CVE-2026-46679
CVE-2026-46679 affects the JS implementation of libp2p gossipsub. Three omissions in the default gossipsub logic allow an unauthenticated peer to flood subscriptions and exhaust the Node.js heap, causing memory DoS and potential OOM. The issue arises from an unbounded this.topics map, unbounded p...
libp2p 输入验证错误漏洞
libp2p is a modular peer-to-peer network framework developed under the open source license of libp2p. Prior to version 15.0.23, there was a vulnerability related to input validation errors in libp2p. This vulnerability stemmed from three overlooked permissions in @libp2p/gossipsub, allowing an...
Missing Release of Memory after Effective Lifetime
Overview @libp2p/gossipsub is an A typescript implementation of gossipsub Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime through unbounded growth of the topics data structure when processing subscription requests. An attacker can exhaust...
GHSA-4F8R-922H-2VGV js-libp2p: Memory DoS via subscription flood of unique topics
Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity packages/gossipsub/src/message/decodeRpc.ts:11: no decode-level cap on...
@bitsocial/ai-moderation-challenge (>=0.1.0 <=0.1.1), @bitsocial/bitsocial-cli (>=0.19.44 <=0.19.63) +6 more potentially affected by CVE-2026-46679 via @libp2p/gossipsub (>=15.0.0-049bfa0fa <=15.0.23-3574648c3)
@libp2p/gossipsub NPM version =15.0.0-049bfa0fa, =0.1.0, =0.19.44, =0.1.0, =0.1.0, =0.1.0, =6.0.0-049bfa0fa, =9.0.0-049bfa0fa, =0.0.17, =0.0.38 Source cves: CVE-2026-46679 Source advisory: SNYK:JS-LIBP2PGOSSIPSUB-16798774...
js-libp2p: Memory DoS via subscription flood of unique topics
Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity packages/gossipsub/src/message/decodeRpc.ts:11: no decode-level cap on...
CVE-2026-34219
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled...
CVE-2026-34219
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled...
CVE-2026-34219 libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled...
CVE-2026-34219 libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled...
CVE-2026-34219
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled...
CVE-2026-34219
CVE-2026-34219 affects libp2p-rust’s libp2p-gossipsub: prior to 0.49.4, Gossipsub’s backoff expiry handling can overflow when adding Slack to an Instant, after a crafted PRUNE with attacker-controlled backoff. This remotely reachable panic is triggered in heartbeat processing and is exploitable o...
blake-streams (=0.1.0), fuel-p2p (>=0.4.0 <=0.5.0) +9 more potentially affected by CVE-2026-34219 via libp2p-gossipsub (>=0.28.0 <=0.35.0)
libp2p-gossipsub CARGO version =0.28.0, =0.4.0, =0.20.0, =0.36.0, =0.16.0, =0.1.0, =0.1.1, =0.2.0, =0.39.1, =0.39.3 Source cves: CVE-2026-34219 Source advisory: OSV:GHSA-XQMP-FXGV-XVQ5...
libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling
Description Summary The Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the...
GHSA-XQMP-FXGV-XVQ5 libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling
Description Summary The Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the...
PT-2026-29063
Name of the Vulnerable Software and Affected Versions libp2p-rust versions prior to 0.49.4 Description The libp2p-rust Gossipsub implementation has a flaw where a crafted PRUNE control message with a near-maximum backoff value can cause a panic due to unchecked Instant + Duration arithmetic durin...