A single unauthenticated peer can flood a libp2p gossipsub node with many unique topics, causing the Node.js process to exhaust its heap and crash. The vulnerability stems from three cooperating bugs that allow a subscription flood when default options are used. This flaw leads to a complete denial of service: the node stops processing legitimate traffic and may crash, denying the service to all connected peers. The weakness aligns with CWE‑20 (Improper Input Validation), CWE‑400 (Uncontrolled Resource Consumption), and CWE‑401 (Improper Resource Handling).

The issue is present in the libp2p JavaScript implementation (js-libp2p) in all gossipsub nodes using default settings, and affects all versions earlier than 15.0.23. Any project that integrates libp2p‑js for peer‑to‑peer networking and does not apply this patch is exposed.

The CVSS score of 7.5 indicates high severity. EPSS data is not available, so the current probability of exploitation is unclear, but the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits yet. Attackers would need to be able to connect as a single peer to the targeted node. Once connected, they can initiate the flood; no special authentication or privileged access is required, making the attack relatively easy to launch against default configurations. The resulting DoS can affect entire networks that rely on the affected libp2p implementation.