CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-cwc9-cp4j-mcvv: libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays

highCVSS 7.5CVE-2026-49866
Summary gossipsub processes IHAVE and IWANT control messages by iterating every received message ID synchronously before doing anything with the results. There is no cap on how many IDs a single frame may contain. The default LP frame limit is 4MB, which fits roughly 180,000 message IDs. Iterating that many IDs blocks the Node.js event loop for around 200ms per call. The two variants have different severity. For IHAVE there is a per-peer per-heartbeat counter that limits each peer to one full iteration per heartbeat, so causing a total stall requires around 10 Sybil peers. For IWANT there is no equivalent counter at all, so a single peer continuously streaming 4MB frames can hold the event loop above 80% utilisation indefinitely. Details No decode-time cap on message ID count (message/decodeRpc.ts:11-19) export const defaultDecodeRpcLimits: DecodeRPCLimits = { maxSubscriptions: Infinity, maxMessages: Infinity, maxIhaveMessageIDs: Infinity, maxIwantMessageIDs: Infinity, maxIdontwantMessageIDs: Infinity, maxControlMessages: Infinity, maxPeerInfos: Infinity } These are the defaults unless the operator explicitly overrides opts.decodeRpcLimits. A TODO at gossipsub.ts:857 already notes the gap: // TODO: Check max gossip message size, before decodeRpc(). IHAVE iterates all IDs before truncating (gossipsub.ts:1311-1327) messageIDs.forEach((msgId) => { const msgIdStr = this.msgIdToStrFn(msgId) if (!this.seenCache.has(msgIdStr)) { iwant.set(msgIdStr, msgId) } }) // truncation to GossipsubMaxIHaveLength (5000) only happens after the loop finishes The per-peer flood counters (iasked, peerhave) do cap things eventually: each peer is limited to 10 IHAVE RPCs and 5000 IDs counted per heartbeat. After the first oversized IHAVE from a peer, subsequent ones are rejected cheaply. The problem is that the cap is per peer, so 10 Sybil peers each sending one 180K-ID IHAVE per heartbeat gives 10 x 150ms = 1500ms of synchronous work against a 1000ms heartbeat interval. IWANT has no

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.5
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-cwc9-cp4j-mcvv

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49866coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories