CVE Catalog

CVE-2026-45783

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

19th percentile - higher than 19% of all known CVEs

Summary

In versions prior to 16.2.6, the libp2p library allowed an unauthenticated remote peer to exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages. The keys of these messages bypassed all content validation.

Risk Assessment

The organization may experience node unavailability, leading to service interruptions and potential financial losses. Disk exhaustion may also affect other services running on the same host.

Recommendation

It is recommended to upgrade to version 16.2.6 or later to patch this vulnerability. Additionally, implementing mechanisms to limit the number of incoming PUT_VALUE messages is advisable.

Original NVD description (English source)

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS