CVE-2026-45783

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. N...

CVE-2026-45783 libp2p: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. N...

CVE-2026-45783

CVE-2026-45783 pertains to libp2p’s Kad-DHT (JavaScript) implementation. Before version 16.2.6, an unauthenticated remote peer can flood a server-mode Kad-DHT node with unbounded PUT_VALUE messages, whose keys bypass content validation, causing the node’s datastore to exhaust disk space and rende...

EUVD-2026-36153

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUTVALUE messages whose keys bypass all content validation. N...

CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...

CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...

CVE-2026-46679

CVE-2026-46679 affects the JS implementation of libp2p gossipsub. Three omissions in the default gossipsub logic allow an unauthenticated peer to flood subscriptions and exhaust the Node.js heap, causing memory DoS and potential OOM. The issue arises from an unbounded this.topics map, unbounded p...

libp2p 输入验证错误漏洞

libp2p is a modular peer-to-peer network framework developed under the open source license of libp2p. Prior to version 15.0.23, there was a vulnerability related to input validation errors in libp2p. This vulnerability stemmed from three overlooked permissions in @libp2p/gossipsub, allowing an...

libp2p 输入验证错误漏洞

libp2p is a modular peer-to-peer network framework developed under the open-source license. Prior to version 16.2.6, libp2p had a vulnerability related to input validation errors. This vulnerability stemmed from unverified remote peers being able to send unlimited PUTVALUE messages, which could...

CVE-2026-44505 Nimiq network-libp2p: Untrusted peer can wedge DHT

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handledhtget network-libp2p/src/swarm.rs. Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record...

CVE-2026-34063

Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, network-libp2p discovery uses a libp2p ConnectionHandler state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer...

CVE-2026-35457

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed i...

GHSA-HF2G-6J7H-98WG klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS

Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...

klever-go: Unbounded goroutine spawn on direct-message ingress enables peer-driven DoS

Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...

PT-2026-48345

Summary Every transaction gossiped on the klever-go P2P network is decoded and validated synchronously inside the libp2p pubsub topic-validator callback. The validator txVersionChecker.CheckTxVersion dereferences tx.RawData.Version with no nil check. A protobuf Transaction whose embedded RawData...

PT-2026-48346

Summary networkMessenger.directMessageHandler in network/p2p/libp2p/netMessenger.go spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight spawns. A single connected libp...

@bitsocial/ai-moderation-challenge (>=0.1.0 <=0.1.1), @bitsocial/bitsocial-cli (>=0.19.44 <=0.19.63) +6 more potentially affected by CVE-2026-46679 via @libp2p/gossipsub (>=15.0.0-049bfa0fa <=15.0.23-3574648c3)

@libp2p/gossipsub NPM version =15.0.0-049bfa0fa, =0.1.0, =0.19.44, =0.1.0, =0.1.0, =0.1.0, =6.0.0-049bfa0fa, =9.0.0-049bfa0fa, =0.0.17, =0.0.38 Source cves: CVE-2026-46679 Source advisory: SNYK:JS-LIBP2PGOSSIPSUB-16798774...

Missing Release of Memory after Effective Lifetime

Overview @libp2p/gossipsub is an A typescript implementation of gossipsub Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime through unbounded growth of the topics data structure when processing subscription requests. An attacker can exhaust...

GHSA-4F8R-922H-2VGV js-libp2p: Memory DoS via subscription flood of unique topics

Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity packages/gossipsub/src/message/decodeRpc.ts:11: no decode-level cap on...

CVE-2026-40094

The CVE affects nimiq-blockchain (Rust). In versions up to 1.3.0, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book; a PeerContact can have an empty addresses list. PeerContactBook::known_peers then builds the address book usin...