CVE-2026-45783

libp2p: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes

CVSS 7.5 HIGHEPSS 0.4%CWE-20 CWE-400

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

10 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Productos afectados

libp2p · js-libp2p

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/libp2p/js-libp2p/security/advisories/GHSA-32mq-hpph-xfvr