Skip to main content

libp2p gossipsub CVE-2026-49866

| EUVDEUVD-2026-42409 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-08 security-advisories@github.com GHSA-cwc9-cp4j-mcvv
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Any connected peer can remotely trigger event-loop blocking without auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only (A:H, C:N/I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 22:04 EUVD
Analysis Generated
Jul 08, 2026 - 21:38 vuln.today

DescriptionCVE.org

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0.

AnalysisAI

Remote denial of service in the JavaScript @libp2p/gossipsub module (all versions prior to 16.0.0) lets any connected peer stall a victim node by sending oversized IHAVE/IWANT control messages. Because defaultDecodeRpcLimits left maxIhaveMessageIDs and maxIwantMessageIDs set to Infinity, a single 4 MB RPC frame forces roughly 180,000 message IDs to be iterated synchronously, blocking the Node.js event loop and freezing the process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect as libp2p peer
Delivery
Join gossipsub mesh
Exploit
Send 4 MB IHAVE/IWANT frame
Execution
Force synchronous iteration of ~180k IDs
Persist
Block Node.js event loop
Impact
Node unresponsive (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run @libp2p/gossipsub below 16.0.0 with the default decode limits (maxIhaveMessageIDs/maxIwantMessageIDs at Infinity) and that the attacker be able to establish a libp2p connection and participate in the gossipsub pubsub mesh so it can deliver IHAVE/IWANT control messages. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) - network-reachable, low complexity, no privileges or user interaction, pure availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to a target js-libp2p node running an unpatched @libp2p/gossipsub and joins the gossip mesh as an ordinary peer. They send a maximally sized (~4 MB) RPC frame whose IHAVE/IWANT arrays contain roughly 180,000 message IDs; the victim iterates the entire array synchronously, blocking its Node.js event loop and rendering the node unresponsive. …
Remediation Vendor-released patch: upgrade @libp2p/gossipsub to 16.0.0, which sets finite bounds for maxIhaveMessageIDs and maxIwantMessageIDs in defaultDecodeRpcLimits (fix commit https://github.com/libp2p/js-libp2p/commit/773dd80ded24dbd6b19e675c89fd2f3b45f2d899 via PR https://github.com/libp2p/js-libp2p/pull/3520, per advisory GHSA-cwc9-cp4j-mcvv). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems using @libp2p/gossipsub to assess exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-49866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy