CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser
Vulnerability ID: CVE-2026-49866
CVSS Score: 7.5
Published: 2026-07-10
A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.
TL;DR
Unbounded protobuf limits and synchronous array loops in @libp2p/gossipsub allow unauthenticated remote attackers to block the single-threaded Node.js event loop, causing a complete denial of service.
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network (AV:N)
- CVSS Score: 7.5
- EPSS Score: 0.00446
- Exploit Status: poc
- KEV Status: not-listed
Affected Systems
- @libp2p/gossipsub prior to 16.0.0
- js-libp2p installations using vulnerable @libp2p/gossipsub modules
Mitigation Strategies
- Upgrade dependency @libp2p/gossipsub to version 16.0.0 or above
- Configure explicit decodeRpcLimits in GossipSub initialization option block
- Implement event loop lag monitoring in the application infrastructure
Remediation Steps:
- Identify vulnerable @libp2p/gossipsub references in package.json or package-lock.json
- Execute the upgrade to version 16.0.0 or higher
- Alternatively, modify instantiation properties to override default limits manually
- Deploy telemetry to capture event loop blocking spikes
Read the full report for CVE-2026-49866 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)