Description
Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options.
defaultDecodeRpcLimits.maxSubscriptions = Infinity(packages/gossipsub/src/message/decodeRpc.ts:11): no decode-level cap on subscription entries per RPC. 2.
Recommendation
Update the @libp2p/gossipsub package to the latest compatible version. Followings are version details:
- Affected version(s): <= 15.0.22
- Patched version(s): 15.0.23
References
Related Issues
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header - CVE-2026-41683
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
You might also like:
- Tags:
- npm
- @libp2p/gossipsub
Anything's wrong? Let us know Last updated on May 21, 2026