VYPR
Vendor

Libp2p

Products
8
CVEs
12
Across products
12
Status
Private

Products

8

Recent CVEs

12
  • CVE-2026-46679HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched…

  • CVE-2026-45783HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all…

  • CVE-2026-52878higJun 5, 2026
    risk 0.38cvss epss 0.00

    ## Summary Every transaction gossiped on the klever-go P2P network is decoded and validated synchronously inside the libp2p pubsub topic-validator callback. The validator `txVersionChecker.CheckTxVersion` dereferences `tx.RawData.Version` with no nil check. A protobuf…

  • CVE-2023-26248MedOct 25, 2024
    risk 0.34cvss 5.3epss 0.00

    The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an…

  • CVE-2025-29606MedJul 14, 2025
    risk 0.21cvss 4.3epss 0.00

    py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.

  • CVE-2026-32314Mar 13, 2026
    risk 0.00cvss epss 0.00

    Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first…

  • CVE-2026-31814Mar 13, 2026
    risk 0.00cvss epss 0.00

    Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely…

  • CVE-2023-40583Aug 25, 2023
    risk 0.00cvss epss 0.01

    libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get…

  • CVE-2023-39533Aug 8, 2023
    risk 0.00cvss epss 0.01

    go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This…

  • CVE-2022-23492Dec 8, 2022
    risk 0.00cvss epss 0.01

    go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause…

  • CVE-2022-23487Dec 7, 2022
    risk 0.00cvss epss 0.01

    js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can…

  • CVE-2022-23486Dec 7, 2022
    risk 0.00cvss epss 0.01

    libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of…