CVE Catalog

CVE-2026-46679

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

19th percentile - higher than 19% of all known CVEs

Summary

In versions prior to 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options.

Risk Assessment

The organization may experience service outages related to gossipsub, leading to downtime and potential financial losses.

Recommendation

It is recommended to upgrade to version 15.0.23 or later to patch this vulnerability.

Original NVD description (English source)

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS