Tag

Libp2p

4 briefs RSS

js-libp2p Gossipsub Memory Exhaustion via Subscription Flood

A memory exhaustion vulnerability exists in `@libp2p/gossipsub` due to unbounded subscription handling, allowing a single attacker to exhaust a Node.js heap by flooding unique topic subscriptions, leading to denial-of-service.

js-libp2p +1 dos memory-exhaustion libp2p

1r 2t May 21, 2026

medium threat

@libp2p/kad-dht Unvalidated PUT_VALUE Records Allow Unbounded Disk Exhaustion

2 rules 2 TTPs

An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages with crafted keys to bypass validation and cause disk exhaustion.

@libp2p/kad-dht libp2p kad-dht denial-of-service disk-exhaustion

2r 2t May 19, 2026

high advisory

libp2p-rendezvous Unlimited Namespace Registration DoS

2 rules 1 TTP

A vulnerable libp2p-rendezvous server can be crashed via a denial-of-service attack where an unauthenticated peer registers unlimited namespaces, leading to memory exhaustion.

libp2p rendezvous denial-of-service

2r 1t Apr 4, 2026

high advisory

libp2p-gossipsub Remote Denial of Service via Integer Overflow

2 rules 1 TTP

A remote, unauthenticated attacker can crash applications using libp2p-gossipsub versions prior to 0.49.4 by sending a crafted PRUNE control message with a near-maximum backoff value, causing an arithmetic overflow during heartbeat processing.

libp2p gossipsub denial-of-service integer overflow rust

2r 1t Mar 30, 2026