CVE-2026-45783 Overview
CVE-2026-45783 is a denial-of-service vulnerability in js-libp2p, the JavaScript implementation of the libp2p networking stack. The flaw affects the @libp2p/kad-dht module in versions prior to 16.2.6. An unauthenticated remote peer can exhaust the disk storage of any kad-dht node running in server mode. The attacker sends an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. The victim node's datastore fills until the host disk is exhausted, rendering the node unavailable. No credentials, prior relationship, or protocol deviation beyond a crafted key are required. The issue has been patched in version 16.2.6.
Critical Impact
Unauthenticated remote attackers can exhaust disk storage on any kad-dht server node, causing complete node unavailability and potential cascading impact on dependent peer-to-peer applications.
Affected Products
- js-libp2p@libp2p/kad-dht module versions prior to 16.2.6
- Any libp2p node running kad-dht in server mode
- Downstream applications embedding vulnerable js-libp2p releases
Discovery Timeline
- 2026-06-10 - CVE-2026-45783 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45783
Vulnerability Analysis
The vulnerability resides in how @libp2p/kad-dht processes incoming Kademlia distributed hash table (DHT) PUT_VALUE requests. When a node operates in server mode, it accepts records from arbitrary peers and writes them to the local datastore. The implementation fails to enforce content validation on key namespaces and does not bound the volume of records a single peer may submit. As a result, a remote peer can stream crafted records indefinitely. Each accepted record consumes disk space until the host file system is full, at which point the node and any colocated services fail.
The weakness is categorized as Improper Input Validation [CWE-20]. The vector reflects a network-reachable, unauthenticated condition with availability impact only — confidentiality and integrity are not affected.
Root Cause
The root cause is missing validation of PUT_VALUE record keys combined with the absence of per-peer rate or quota limits in the kad-dht server path. Keys that should be rejected by namespace validators are instead persisted. There is no upper bound on total stored records or on storage consumed per remote peer, so adversarial writes are not throttled or expired before they exhaust disk capacity.
Attack Vector
An attacker connects to a kad-dht server-mode node over any libp2p transport and issues continuous PUT_VALUE messages with keys constructed to bypass content validators. The node stores each record. Repeating this pattern at high volume fills the datastore and consumes the host disk. The attack requires no authentication, no user interaction, and no prior peering relationship. Refer to the GitHub Security Advisory GHSA-32mq-hpph-xfvr for protocol-level technical detail.
Detection Methods for CVE-2026-45783
Indicators of Compromise
- Rapid growth of the kad-dht datastore directory without a corresponding increase in legitimate application traffic.
- High volume of inbound PUT_VALUE messages originating from a small set of remote peer IDs.
- Disk usage alerts on hosts running js-libp2p server-mode nodes, particularly approaching 100% capacity.
Detection Strategies
- Monitor libp2p stream and protocol metrics for anomalous /ipfs/kad/1.0.0PUT_VALUE request rates per remote peer.
- Correlate datastore size growth with peer connection logs to identify single peers contributing disproportionate writes.
- Inspect record keys for namespaces that do not match validators registered on the node.
Monitoring Recommendations
- Alert on datastore directory size crossing capacity thresholds (for example, 70% and 90% of allocated disk).
- Log and review the version of @libp2p/kad-dht deployed across the fleet; flag instances below 16.2.6.
- Track per-peer message counters and apply alerting when a single peer exceeds expected baselines.
How to Mitigate CVE-2026-45783
Immediate Actions Required
- Upgrade @libp2p/kad-dht and dependent js-libp2p packages to version 16.2.6 or later.
- Audit production nodes to identify any running in kad-dht server mode and prioritize their patching.
- Free disk space and restart any node whose datastore has been inflated by suspect PUT_VALUE traffic.
Patch Information
The vulnerability is fixed in @libp2p/kad-dht version 16.2.6. The patch enforces validation on incoming PUT_VALUE keys so that records failing namespace validators are rejected before being written to the datastore. Maintainers published the fix through the GitHub Security Advisory GHSA-32mq-hpph-xfvr.
Workarounds
- Switch kad-dht nodes from server mode to client mode where the application does not require providing DHT service.
- Place strict disk quotas on the datastore directory to limit blast radius until the upgrade is deployed.
- Apply network-layer rate limiting or peer scoring to drop connections from peers issuing excessive PUT_VALUE traffic.
# Configuration example: upgrade to the patched release
npm install @libp2p/kad-dht@^16.2.6
npm ls @libp2p/kad-dht
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

