Allocation of Resources Without Limits or Throttling Affecting @libp2p/gossipsub package, versions <15.0.23-d888f182f


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.45% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-LIBP2PGOSSIPSUB-17901717
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditTahaa Farooq

Introduced: 8 Jul 2026

NewCVE-2026-49866  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade @libp2p/gossipsub to version 15.0.23-d888f182f or higher.

Overview

@libp2p/gossipsub is an A typescript implementation of gossipsub

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the defaultDecodeRpcLimits in which maxIhaveMessageIDs and maxIwantMessageIDs are set to Infinity, allowing oversized IHAVE and IWANT control message arrays to be processed in message/decodeRpc.ts and gossipsub.ts. An attacker can exhaust CPU resources and block the Node.js event loop by sending large arrays of message IDs.

CVSS Base Scores

version 4.0
version 3.1