Description
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A single unauthenticated peer can flood a libp2p gossipsub node with many unique topics, causing the Node.js process to exhaust its heap and crash. The vulnerability stems from three cooperating bugs that allow a subscription flood when default options are used. This flaw leads to a complete denial of service: the node stops processing legitimate traffic and may crash, denying the service to all connected peers. The weakness aligns with CWE‑20 (Improper Input Validation), CWE‑400 (Uncontrolled Resource Consumption), and CWE‑401 (Improper Resource Handling).

Affected Systems

The issue is present in the libp2p JavaScript implementation (js-libp2p) in all gossipsub nodes using default settings, and affects all versions earlier than 15.0.23. Any project that integrates libp2p‑js for peer‑to‑peer networking and does not apply this patch is exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. EPSS data is not available, so the current probability of exploitation is unclear, but the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits yet. Attackers would need to be able to connect as a single peer to the targeted node. Once connected, they can initiate the flood; no special authentication or privileged access is required, making the attack relatively easy to launch against default configurations. The resulting DoS can affect entire networks that rely on the affected libp2p implementation.

Generated by OpenCVE AI on June 10, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libp2p:js‑libp2p to version 15.0.23 or later.
  • Reconfigure the gossipsub implementation to reject or throttle subscriptions from unknown topics before allocating memory.
  • Continuously monitor node memory usage and restart or restart the service if heap exhaustion indicators appear.

Generated by OpenCVE AI on June 10, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4f8r-922h-2vgv js-libp2p: Memory DoS via subscription flood of unique topics
History

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p
Libp2p libp2p
Vendors & Products Libp2p
Libp2p libp2p

Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.
Title libp2p: Memory DoS via subscription flood of unique topics
Weaknesses CWE-20
CWE-400
CWE-401
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T14:18:41.039Z

Reserved: 2026-05-15T21:46:51.547Z

Link: CVE-2026-46679

cve-icon Vulnrichment

Updated: 2026-06-11T14:18:32.272Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T22:17:00.300

Modified: 2026-06-11T16:16:23.663

Link: CVE-2026-46679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:30:11Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-401

    Missing Release of Memory after Effective Lifetime