Out-of-bounds Read

Overview MessagePack is a MessagePackMsgPack Serializer for C.NET, .NET Core, Unity, Xamarin. Affected versions of this package are vulnerable to Out-of-bounds Read in the LZ4 decompression path for Lz4Block and Lz4BlockArray modes. An attacker can cause process termination or potentially access...

GHSA-HV8M-JJ95-WG3X MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input

Impact A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted...

CVE-2020-5234

MessagePack for C and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps...

Denial Of Service (DoS)

MessagePack is vulnerable to a Denial Of Service DoS. This vulnerability is due to hash collisions triggered by specially crafted data, which allows an attacker to cause excessive CPU consumption during deserialization of untrusted data. A workaround involves creating a custom hash function by...