Improper Validation of Syntactic Correctness of Input in @libp2p/kad-dht | CVE-2026-45783

Q: How to fix?

Upgrade @libp2p/kad-dht to version 16.2.6 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-LIBP2PKADDHT-16770413
published20 May 2026
disclosed19 May 2026
creditTahaa Farooq

Report a new vulnerability Found a mistake?

Introduced: 19 May 2026

NewCVE-2026-45783 (opens in a new tab) CWE-1286 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade @libp2p/kad-dht to version 16.2.6 or higher.

Overview

@libp2p/kad-dht is a JavaScript implementation of the Kad-DHT for libp2p

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the verifyRecord() function that leads to the unlimited message processing since rate limits are applied only to successfully received messages. An attacker can exhaust disk storage and render the node unavailable by sending a continuous stream of crafted PUT_VALUE messages with keys that bypass content validation.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Validation of Syntactic Correctness of Input Affecting @libp2p/kad-dht package, versions <16.2.6

Severity