2256134 – (CVE-2023-52079) CVE-2023-52079 msgpackr: crafted message leads to Denial of Service

Bug 2256134 (CVE-2023-52079) - CVE-2023-52079 msgpackr: crafted message leads to Denial of Service

Summary: CVE-2023-52079 msgpackr: crafted message leads to Denial of Service

Keywords:
Status:	NEW
Alias:	CVE-2023-52079
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2256133
TreeView+	depends on / blocked

Reported:	2023-12-28 20:24 UTC by Patrick Del Bello
Modified:	2024-02-01 05:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in msgpackr. A malicious message could get stuck in a decoder loop, leading to a denial of service (DoS) attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-12-28 20:24:00 UTC

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1.  
Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602
https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx

Note You need to log in before you can comment on or make changes to this bug.