Description
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated remote peer can send an unbounded stream of PUT_VALUE messages to a @libp2p/kad-dht node running in server mode, causing the node’s datastore to fill until the host disk is exhausted. This results in the node becoming unavailable. The weakness stems from input validation failures (CWE-20) and uncontrolled resource consumption (CWE-400).

Affected Systems

The vulnerability affects the libp2p:js-libp2p implementation, specifically any @libp2p/kad-dht node in server mode before version 16.2.6. Users running older versions are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the empirical exploitation likelihood is unclear. However, the vulnerability can be exercised by any remote peer without authentication or prior relationship, making it potentially exploitable in open or poorly segmented networks. Once exploited, the attacker can exhaust disk space and crash the node, providing a denial‑of‑service attack vector.

Generated by OpenCVE AI on June 10, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libp2p to version 16.2.6 or later.
  • If immediate upgrade is not feasible, restrict incoming connections to the DHT port through a firewall or network segmentation to limit untrusted peers.
  • Run the node in a non‑server configuration or apply any available runtime key‑validation settings to reject malformed PUT_VALUE requests.

Generated by OpenCVE AI on June 10, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-32mq-hpph-xfvr @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
History

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.
Title libp2p: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
Weaknesses CWE-20
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T21:09:40.499Z

Reserved: 2026-05-13T07:45:21.252Z

Link: CVE-2026-45783

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:59.053

Modified: 2026-06-10T22:16:59.053

Link: CVE-2026-45783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:30:22Z

Weaknesses