Description
Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options.
defaultDecodeRpcLimits.maxSubscriptions = Infinity(packages/gossipsub/src/message/decodeRpc.ts:11): no decode-level cap on subscription entries per RPC. 2.
Recommendation
Update the @libp2p/gossipsub package to the latest compatible version. Followings are version details:
- Affected version(s): <= 15.0.22
- Patched version(s): 15.0.23
References
Related Issues
- Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
- Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
- i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header - CVE-2026-41683
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
You might also like:
- Tags:
- npm
- @libp2p/gossipsub
Anything's wrong? Let us know Last updated on May 21, 2026