PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49866 libp2p CVE debrief

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0. An executive overview indicates affected product scope, vulnerability class, and likely operational impact. The vulnerability allows for large IHAVE and IWANT control messages to be processed, potentially blocking the Node.js event loop.

Vendor
libp2p
Product
js-libp2p
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of libp2p JavaScript Implementation prior to version 16.0.0 should be aware of this vulnerability and take steps to upgrade to the patched version. This includes operators managing libp2p deployments, platform administrators, vulnerability management teams, and security teams responsible for monitoring and mitigating potential impacts.

Technical summary

The @libp2p/gossipsub module in libp2p had a vulnerability where the defaultDecodeRpcLimits were set to Infinity for maxIhaveMessageIDs and maxIwantMessageIDs. This allowed for large IHAVE and IWANT control messages to be processed, potentially blocking the Node.js event loop. The issue was fixed in version 16.0.0. Affected users should upgrade to this version or later to prevent potential event loop blocking due to oversized control messages.

Defensive priority

High

Recommended defensive actions

  • Upgrade to libp2p version 16.0.0 or later
  • Review and adjust @libp2p/gossipsub configuration to prevent similar issues
  • Monitor for similar vulnerabilities in libp2p and its dependencies
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T21:16:49.137Z and was last modified on 2026-07-10T19:10:59.333Z. The NVD entry is currently Deferred. Evidence limits suggest verifying the patched version 16.0.0 or later is installed. Defensive verification tasks include reviewing system logs for large IHAVE and IWANT control messages and ensuring the Node.js event loop is not blocked.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:49.137Z and has not been modified since then. The NVD entry is currently Deferred.