Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS03aHBqLTdoaHgtMmZneM4AA4D7

msgpackr's conversion of property names to strings can trigger infinite recursion

Impact

When decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop.

Patches

The fix is available in v1.10.1

Workarounds

Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

References

Permalink: https://github.com/advisories/GHSA-7hpj-7hhx-2fgx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03aHBqLTdoaHgtMmZneM4AA4D7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Identifiers: GHSA-7hpj-7hhx-2fgx, CVE-2023-52079
References:

• https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx
• https://nvd.nist.gov/vuln/detail/CVE-2023-52079
• https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602
• https://github.com/advisories/GHSA-7hpj-7hhx-2fgx

Repository: https://github.com/kriszyp/msgpackr
Blast Radius: 40.0

Affected Packages