← Back to feed
Security patch:
[HIGH] GHSA-32mq-hpph-xfvr: @libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Summary An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a craf
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
@libp2p/kad-dhttypescriptnode.js
View original source ↗Source payload preview
{
"ghsaId": "GHSA-32mq-hpph-xfvr",
"summary": "@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes",
"severity": "HIGH",
"updatedAt": "2026-05-19T20:07:53Z",
"references": [
{
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-32mq-hpph-xfvr"
},
{
"url": "https://github.com/advisories/GHSA-32mq-hpph-xfvr"
}
],
"description": "### Summary\nAn unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until th
…