CVE-2026-45783
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
In versions prior to 16.2.6, the libp2p library allowed an unauthenticated remote peer to exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages. The keys of these messages bypassed all content validation.
Risk Assessment
The organization may experience node unavailability, leading to service interruptions and potential financial losses. Disk exhaustion may also affect other services running on the same host.
Recommendation
It is recommended to upgrade to version 16.2.6 or later to patch this vulnerability. Additionally, implementing mechanisms to limit the number of incoming PUT_VALUE messages is advisable.
Original NVD description (English source)
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.

