PT-2026-42028 · Npm+1 · @Libp2P/Kad-Dht+1

Published

2026-05-19

·

Updated

2026-06-11

·

CVE-2026-45783

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions libp2p versions prior to 16.2.6
Description An unauthenticated remote peer can cause disk storage exhaustion on any @libp2p/kad-dht node operating in server mode. This occurs when an attacker sends an unbounded stream of PUT VALUE messages using crafted keys that bypass content validation. The issue stems from two defects: the verifyRecord() function silently accepts keys that split into fewer than three slash-delimited parts, and the RPC message loop lacks per-stream message limits, per-peer byte budgets, or rate limiting, resetting the inactivity timeout after every successful message.
Technical details include:
  • API Endpoints: The vulnerability affects the DHT RPC layer handling PUT VALUE messages.
  • Vulnerable Parameters or Variables: The key variable within the Libp2pRecord is used to bypass validation if it contains fewer than two / characters.
  • Function Names: The verifyRecord() function fails to reject invalid keys, and the RPC loop in packages/kad-dht/src/rpc/index.ts allows unlimited message processing.
This can lead to the victim node's datastore filling up until the host disk is exhausted, rendering the node unavailable. This affects IPFS nodes, libp2p bootstrap nodes, and any application exposing a public DHT endpoint.
Recommendations Update to version 16.2.6. As a temporary mitigation, restrict access to the public DHT endpoint or disable server mode by setting clientMode: true to prevent the processing of inbound streams.

Exploit

Fix

Resource Exhaustion

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-20

Related Identifiers

CVE-2026-45783
GHSA-32MQ-HPPH-XFVR

Affected Products

@Libp2P/Kad-Dht
Js-Libp2P