Impact
The vulnerability in the libp2p networking stack allows an attacker to send oversized IHAVE and IWANT messages containing up to roughly 180,000 message IDs in a single 4 MB frame. Decoding these messages causes the Node.js event loop to block, consuming a large amount of CPU and preventing normal operation, which is a classic denial‑of‑service weakness as described by CWE‑770.
Affected Systems
Systems using the JavaScript libp2p library (js‑libp2p) and the Gossipsub protocol implementation before version 16.0.0 are affected. The bug is triggered whenever the default decoding limits for IHAVE and IWANT message IDs are set to Infinity.
Risk and Exploitability
The CVSS score of 7.5 rates the risk as moderate to high for availability. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, implying that no widespread automated exploits have been observed publicly. The likely attack vector is remote: an adversary can send crafted gossipsub control messages over the network, as the protocol permits any peer to transmit IHAVE and IWANT frames. Once executed, the attack causes a sustained CPU burst that blocks the Node.js event loop, effectively denying service to legitimate users. The vulnerability can be exploited by any peer that can establish a gossipsub connection, and no privileged state or special access is required.
OpenCVE Enrichment