Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Any connected peer can remotely trigger event-loop blocking without auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is availability-only (A:H, C:N/I:N).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0.
Articles & Coverage 1
AnalysisAI
Remote denial of service in the JavaScript @libp2p/gossipsub module (all versions prior to 16.0.0) lets any connected peer stall a victim node by sending oversized IHAVE/IWANT control messages. Because defaultDecodeRpcLimits left maxIhaveMessageIDs and maxIwantMessageIDs set to Infinity, a single 4 MB RPC frame forces roughly 180,000 message IDs to be iterated synchronously, blocking the Node.js event loop and freezing the process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run @libp2p/gossipsub below 16.0.0 with the default decode limits (maxIhaveMessageIDs/maxIwantMessageIDs at Infinity) and that the attacker be able to establish a libp2p connection and participate in the gossipsub pubsub mesh so it can deliver IHAVE/IWANT control messages. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) - network-reachable, low complexity, no privileges or user interaction, pure availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connects to a target js-libp2p node running an unpatched @libp2p/gossipsub and joins the gossip mesh as an ordinary peer. They send a maximally sized (~4 MB) RPC frame whose IHAVE/IWANT arrays contain roughly 180,000 message IDs; the victim iterates the entire array synchronously, blocking its Node.js event loop and rendering the node unresponsive. … |
| Remediation | Vendor-released patch: upgrade @libp2p/gossipsub to 16.0.0, which sets finite bounds for maxIhaveMessageIDs and maxIwantMessageIDs in defaultDecodeRpcLimits (fix commit https://github.com/libp2p/js-libp2p/commit/773dd80ded24dbd6b19e675c89fd2f3b45f2d899 via PR https://github.com/libp2p/js-libp2p/pull/3520, per advisory GHSA-cwc9-cp4j-mcvv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems using @libp2p/gossipsub to assess exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42409
GHSA-cwc9-cp4j-mcvv