{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/libp2p/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@libp2p/kad-dht"],"_cs_severities":["medium"],"_cs_tags":["libp2p","kad-dht","denial-of-service","disk-exhaustion"],"_cs_type":"threat","_cs_vendors":["libp2p"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@libp2p/kad-dht\u003c/code\u003e library is vulnerable to a denial-of-service attack where an unauthenticated remote peer can exhaust the disk storage of a node running in server mode. This is achieved by sending an unbounded stream of \u003ccode\u003ePUT_VALUE\u003c/code\u003e messages with specially crafted keys that bypass content validation. The vulnerability stems from two key defects in the code. First, the \u003ccode\u003everifyRecord\u003c/code\u003e function silently returns success for keys with fewer than three slash-delimited parts, leading to unconditional writes to the datastore. Second, the RPC message loop lacks proper rate limiting or message count limits, allowing an attacker to stream an unlimited number of messages indefinitely by resetting the inactivity timeout with each message. This can lead to the victim node\u0026rsquo;s datastore filling up until the host disk is exhausted, making the node unavailable. The issue affects \u003ccode\u003e@libp2p/kad-dht\u003c/code\u003e versions prior to the fix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a TLS handshake with the target \u003ccode\u003e@libp2p/kad-dht\u003c/code\u003e node without authentication.\u003c/li\u003e\n\u003cli\u003eAttacker opens a new stream to send \u003ccode\u003ePUT_VALUE\u003c/code\u003e messages. The target node can accept up to 32 concurrent inbound streams.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a \u003ccode\u003ePUT_VALUE\u003c/code\u003e message with a key that has fewer than three slash-delimited parts (e.g., \u003ccode\u003e\\x01\\x02\\x03\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003everifyRecord\u003c/code\u003e function in \u003ccode\u003epackages/kad-dht/src/record/validators.ts\u003c/code\u003e silently returns without validation because the key does not conform to the expected format.\u003c/li\u003e\n\u003cli\u003eThe crafted record is written to the target node\u0026rsquo;s datastore. Each message can contain up to 4MB of data due to the \u003ccode\u003eDEFAULT_MAX_DATA_LENGTH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe target node resets the inactivity timeout (\u003ccode\u003ethis.incomingMessageTimeout\u003c/code\u003e) after processing each message in the RPC loop in \u003ccode\u003epackages/kad-dht/src/rpc/index.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 3-6 indefinitely, sending a continuous stream of invalid \u003ccode\u003ePUT_VALUE\u003c/code\u003e messages within the 10-second timeout window.\u003c/li\u003e\n\u003cli\u003eThe target node\u0026rsquo;s datastore fills up with unvalidated data, exhausting the disk space and causing a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition. An attacker can remotely exhaust the disk space of any \u003ccode\u003e@libp2p/kad-dht\u003c/code\u003e node running in server mode, rendering it unavailable. Since the attack is unauthenticated and can be performed over multiple concurrent streams, it has the potential to impact a large number of nodes. The number of victims and the sectors targeted would depend on the deployment size of \u003ccode\u003e@libp2p/kad-dht\u003c/code\u003e nodes. If successful, legitimate services relying on the DHT network may be disrupted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of \u003ccode\u003e@libp2p/kad-dht\u003c/code\u003e that includes the fix for the unbounded \u003ccode\u003ePUT_VALUE\u003c/code\u003e vulnerability as detailed in \u003ca href=\"https://github.com/advisories/GHSA-32mq-hpph-xfvr\"\u003eGHSA-32mq-hpph-xfvr\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting or message count limits on incoming streams to prevent unbounded message loops in \u003ccode\u003epackages/kad-dht/src/rpc/index.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Libp2p Kad-DHT Unvalidated PUT_VALUE Attack\u003c/code\u003e to detect unusual amounts of PUT_VALUE messages with crafted keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T20:09:11Z","date_published":"2026-05-19T20:09:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kad-dht-dos/","summary":"An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages with crafted keys to bypass validation and cause disk exhaustion.","title":"@libp2p/kad-dht Unvalidated PUT_VALUE Records Allow Unbounded Disk Exhaustion","url":"https://feed.craftedsignal.io/briefs/2026-05-kad-dht-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Libp2p","version":"https://jsonfeed.org/version/1.1"}