CVE-2026-46679: CWE-20: Improper Input Validation in libp2p js-libp2p
CVE-2026-46679 is a high-severity vulnerability in the JavaScript implementation of the libp2p networking stack (js-libp2p). Prior to version 15. 0. 23, an unauthenticated single peer can exploit omissions in the @libp2p/gossipsub module to exhaust the Node. js heap of any gossipsub node running with default options. This denial-of-service condition results from improper input validation and resource management issues. The vulnerability has been patched in version 15. 0. 23.
AI Analysis
Technical Summary
The vulnerability CVE-2026-46679 affects js-libp2p versions before 15.0.23. It arises from three cooperating omissions in the @libp2p/gossipsub module that allow an unauthenticated remote peer to cause heap exhaustion on a gossipsub node using default settings. This is due to improper input validation (CWE-20) and resource exhaustion issues (CWE-400, CWE-401). The issue leads to denial of service by exhausting the Node.js heap memory. The vulnerability is fixed in version 15.0.23.
Potential Impact
An unauthenticated attacker can remotely cause a denial of service by exhausting the Node.js heap memory of a gossipsub node running vulnerable versions of js-libp2p. There is no impact on confidentiality or integrity reported. The attack affects availability by crashing or severely degrading the performance of the affected node.
Mitigation Recommendations
A fix is available in js-libp2p version 15.0.23. Users should upgrade to version 15.0.23 or later to remediate this vulnerability. No additional mitigation guidance or temporary workarounds are provided in the vendor advisory.
CVE-2026-46679: CWE-20: Improper Input Validation in libp2p js-libp2p
Description
CVE-2026-46679 is a high-severity vulnerability in the JavaScript implementation of the libp2p networking stack (js-libp2p). Prior to version 15. 0. 23, an unauthenticated single peer can exploit omissions in the @libp2p/gossipsub module to exhaust the Node. js heap of any gossipsub node running with default options. This denial-of-service condition results from improper input validation and resource management issues. The vulnerability has been patched in version 15. 0. 23.
CVSS v3.1
Score 7.5high
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-46679 affects js-libp2p versions before 15.0.23. It arises from three cooperating omissions in the @libp2p/gossipsub module that allow an unauthenticated remote peer to cause heap exhaustion on a gossipsub node using default settings. This is due to improper input validation (CWE-20) and resource exhaustion issues (CWE-400, CWE-401). The issue leads to denial of service by exhausting the Node.js heap memory. The vulnerability is fixed in version 15.0.23.
Potential Impact
An unauthenticated attacker can remotely cause a denial of service by exhausting the Node.js heap memory of a gossipsub node running vulnerable versions of js-libp2p. There is no impact on confidentiality or integrity reported. The attack affects availability by crashing or severely degrading the performance of the affected node.
Mitigation Recommendations
A fix is available in js-libp2p version 15.0.23. Users should upgrade to version 15.0.23 or later to remediate this vulnerability. No additional mitigation guidance or temporary workarounds are provided in the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T21:46:51.547Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29dafc3187570649959430
Added to database: 6/10/2026, 9:45:32 PM
Last enriched: 6/10/2026, 10:00:28 PM
Last updated: 6/10/2026, 10:58:27 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.