Dismissed
(no matching packages found)
Permalink
CVE-2026-49866
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created & dismissed (no matching packages found) suggestion
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0.
References
-
https://github.com/libp2p/js-libp2p/security/advisories/GHSA-cwc9-cp4j-mcvv x_refsource_CONFIRM
-
https://github.com/libp2p/js-libp2p/pull/3520 x_refsource_MISC
-
https://github.com/libp2p/js-libp2p/releases/tag/gossipsub-v16.0.0 x_refsource_MISC
Affected products
js-libp2p
- ==< 16.0.0