Protocol Libp2P vulnerabilities
6 known vulnerabilities affecting protocol/libp2p.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-33040HIGHCVSS 8.7fixed in 0.49.32026-03-20
CVE-2026-33040 [HIGH] CWE-190 CVE-2026-33040: libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MA
nvd
CVE-2025-29606MEDIUM≥ 0, < 0.2.32025-07-14
CVE-2025-29606 [MEDIUM] CWE-770 py-libp2p is vulnerable to DoS attacks through use of large RSA keys
py-libp2p is vulnerable to DoS attacks through use of large RSA keys
py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.
ghsaosv
CVE-2023-40583HIGHCVSS 7.5fixed in 0.27.42023-08-25
CVE-2023-40583 [HIGH] CWE-400 CVE-2023-40583: libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately
libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users
nvd
CVE-2022-23492HIGHCVSS 7.5fixed in 0.18.02022-12-08
CVE-2022-23492 [HIGH] CWE-400 CVE-2022-23492: go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process g
nvd
CVE-2022-23486HIGHCVSS 7.5fixed in 0.45.12022-12-07
CVE-2022-23486 [HIGH] CWE-400 CVE-2022-23486: libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuou
ghsanvdosv
CVE-2022-23487HIGHCVSS 7.5fixed in 0.38.02022-12-07
CVE-2022-23487 [HIGH] CWE-400 CVE-2022-23487: js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the proce
ghsanvdosv