Description
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0.
Published: 2026-07-08
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the libp2p networking stack allows an attacker to send oversized IHAVE and IWANT messages containing up to roughly 180,000 message IDs in a single 4 MB frame. Decoding these messages causes the Node.js event loop to block, consuming a large amount of CPU and preventing normal operation, which is a classic denial‑of‑service weakness as described by CWE‑770.

Affected Systems

Systems using the JavaScript libp2p library (js‑libp2p) and the Gossipsub protocol implementation before version 16.0.0 are affected. The bug is triggered whenever the default decoding limits for IHAVE and IWANT message IDs are set to Infinity.

Risk and Exploitability

The CVSS score of 7.5 rates the risk as moderate to high for availability. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, implying that no widespread automated exploits have been observed publicly. The likely attack vector is remote: an adversary can send crafted gossipsub control messages over the network, as the protocol permits any peer to transmit IHAVE and IWANT frames. Once executed, the attack causes a sustained CPU burst that blocks the Node.js event loop, effectively denying service to legitimate users. The vulnerability can be exploited by any peer that can establish a gossipsub connection, and no privileged state or special access is required.

Generated by OpenCVE AI on July 9, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the libp2p library to version 16.0.0 or later, which limits IHAVE and IWANT message size and removes the blocking loop.
  • Update any downstream dependencies that import @libp2p/gossipsub to ensure they use the patched version.
  • If upgrading immediately is not possible, configure custom decodeRpcLimits to set maxIhaveMessageIDs and maxIwantMessageIDs to reasonable lower values, thereby preventing excessive iteration during decoding.

Generated by OpenCVE AI on July 9, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0.
Title libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T20:47:09.051Z

Reserved: 2026-06-01T22:03:19.641Z

Link: CVE-2026-49866

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling