CVE-2026-46679
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
In versions prior to 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options.
Risk Assessment
The organization may experience service outages related to gossipsub, leading to downtime and potential financial losses.
Recommendation
It is recommended to upgrade to version 15.0.23 or later to patch this vulnerability.
Original NVD description (English source)
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.

