A high-severity vulnerability, CVE-2026-49866, affects the libp2p gossipsub module in versions prior to 16.0.0. The flaw allows an attacker to cause CPU denial-of-service via oversized IHAVE and IWANT control message arrays, which can block the Node.js event loop for extended periods due to a lack of cap on how many IDs a single frame may contain. This enables an attacker with sufficient resources to overwhelm the system. In the case of IHAVE messages, a per-peer counter limits each peer to one full iteration per heartbeat, but this can be bypassed by using Sybil peers. IWANT messages have no equivalent counter, making them particularly vulnerable to abuse. An attacker can exploit this vulnerability by connecting multiple peers and sending oversized control message arrays, causing the victim's system to become unresponsive. This has significant business impact as it can lead to downtime and productivity losses for affected organizations. The CVSS v3 score is 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high severity vulnerability.
We recommend you to update libp2p to version 16.0.0.[/subscribe_to_unlock_form]
A high-severity vulnerability, CVE-2026-49866, affects the libp2p gossipsub module in versions prior to 16.0.0. The flaw allows an attacker to cause CPU denial-of-service via oversized IHAVE and IWANT control message arrays, which can block the Node.js event loop for extended periods due to a lack of cap on how many IDs a single frame may contain. This enables an attacker with sufficient resources to overwhelm the system. In the case of IHAVE messages, a per-peer counter limits each peer to one full iteration per heartbeat, but this can be bypassed by using Sybil peers. IWANT messages have no equivalent counter, making them particularly vulnerable to abuse. An attacker can exploit this vulnerability by connecting multiple peers and sending oversized control message arrays, causing the victim's system to become unresponsive. This has significant business impact as it can lead to downtime and productivity losses for affected organizations. The CVSS v3 score is 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high severity vulnerability.
We recommend you to update libp2p to version 16.0.0.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]