@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
- Severity:
- High
Description
An unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required.
Recommendation
Update the @libp2p/kad-dht package to the latest compatible version. Followings are version details:
- Affected version(s): < 16.2.6
- Patched version(s): 16.2.6
References
Related Issues
- Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands - CVE-2026-29772
- Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value - CVE-2026-34595
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow - CVE-2026-34083
You might also like:
- Tags:
- npm
- @libp2p/kad-dht
Anything's wrong? Let us know Last updated on May 19, 2026