PatchSiren cyber security CVE debrief
CVE-2026-45783 libp2p CVE debrief
CVE-2026-45783 is a HIGH severity vulnerability in libp2p, a JavaScript Implementation of libp2p networking stack. An unauthenticated remote peer can exhaust a @libp2p/kad-dht node's disk storage by sending an unbounded stream of PUT_VALUE messages with crafted keys, making the node unavailable. This issue was patched in version 16.2.6.
- Vendor
- libp2p
- Product
- js-libp2p
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of libp2p, particularly those running @libp2p/kad-dht nodes in server mode, should be aware of this vulnerability and take steps to update to version 16.2.6 or later.
Technical summary
An unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required.
Defensive priority
HIGH
Recommended defensive actions
- Update libp2p to version 16.2.6 or later.
- Restrict access to @libp2p/kad-dht nodes in server mode to trusted peers only.
Evidence notes
This vulnerability was patched in version 16.2.6. For more information, see [ref-4](https://github.com/libp2p/js-libp2p/security/advisories/GHSA-32mq-hpph-xfvr).
Official resources
-
CVE-2026-45783 CVE record
CVE.org
-
CVE-2026-45783 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45783 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-45783) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-45783).