CVE-2026-45783: CWE-20: Improper Input Validation in libp2p js-libp2p
A vulnerability in js-libp2p prior to version 16. 2. 6 allows an unauthenticated remote peer to exhaust disk storage of a node running @libp2p/kad-dht in server mode. This is achieved by sending an unbounded stream of PUT_VALUE messages with keys that bypass content validation, filling the victim's datastore and causing denial of service. The issue has been fixed in version 16. 2. 6.
AI Analysis
Technical Summary
The vulnerability CVE-2026-45783 in js-libp2p (a JavaScript implementation of the libp2p networking stack) involves improper input validation (CWE-20) leading to resource exhaustion (CWE-400). Specifically, before version 16.2.6, an unauthenticated remote peer can send an unlimited number of PUT_VALUE messages with crafted keys that bypass content validation to any @libp2p/kad-dht node running in server mode. This causes the victim node's datastore to fill up, exhausting disk storage and rendering the node unavailable. No credentials or prior relationship are required to exploit this vulnerability. The issue is addressed by patching to version 16.2.6.
Potential Impact
An attacker can cause a denial of service by exhausting the disk storage of a vulnerable node, making the node unavailable. There is no confidentiality or integrity impact reported. The attack requires no authentication or protocol deviation beyond sending crafted keys. This can disrupt network operations relying on the affected node.
Mitigation Recommendations
Upgrade js-libp2p to version 16.2.6 or later, where this vulnerability is patched. There is no indication of alternative mitigations or temporary fixes. Patch status is confirmed by the vendor advisory stating the fix is in version 16.2.6.
CVE-2026-45783: CWE-20: Improper Input Validation in libp2p js-libp2p
Description
A vulnerability in js-libp2p prior to version 16. 2. 6 allows an unauthenticated remote peer to exhaust disk storage of a node running @libp2p/kad-dht in server mode. This is achieved by sending an unbounded stream of PUT_VALUE messages with keys that bypass content validation, filling the victim's datastore and causing denial of service. The issue has been fixed in version 16. 2. 6.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-45783 in js-libp2p (a JavaScript implementation of the libp2p networking stack) involves improper input validation (CWE-20) leading to resource exhaustion (CWE-400). Specifically, before version 16.2.6, an unauthenticated remote peer can send an unlimited number of PUT_VALUE messages with crafted keys that bypass content validation to any @libp2p/kad-dht node running in server mode. This causes the victim node's datastore to fill up, exhausting disk storage and rendering the node unavailable. No credentials or prior relationship are required to exploit this vulnerability. The issue is addressed by patching to version 16.2.6.
Potential Impact
An attacker can cause a denial of service by exhausting the disk storage of a vulnerable node, making the node unavailable. There is no confidentiality or integrity impact reported. The attack requires no authentication or protocol deviation beyond sending crafted keys. This can disrupt network operations relying on the affected node.
Mitigation Recommendations
Upgrade js-libp2p to version 16.2.6 or later, where this vulnerability is patched. There is no indication of alternative mitigations or temporary fixes. Patch status is confirmed by the vendor advisory stating the fix is in version 16.2.6.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T07:45:21.252Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29dafc318757064995942d
Added to database: 6/10/2026, 9:45:32 PM
Last enriched: 6/10/2026, 10:00:35 PM
Last updated: 6/10/2026, 10:46:41 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.