11 matches found
Denial Of Service
msgpackr is vulnerable to Denial Of Service DoS. The vulnerability is due to faulty validation for user supplied MessagePack messages. An attacker can trigger an infinite loop by specially crafted messages, resulting in Denial of Service...
msgpackr's conversion of property names to strings can trigger infinite recursion
Impact When decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. Patches The fix is available in v1.10.1 Workarounds Exploits seem to require structured cloning, replacing the 0x70 extension with your own that...
@cmmn/domain (>=1.9.13 <=2.2.3), @hummhive/saltpack (>=1.0.0 <=1.3.0) +13 more potentially affected by CVE-2023-52079 via msgpackr (>=0.1.8 <=1.10.0)
msgpackr NPM version =0.1.8, =1.9.13, =1.0.0, =4.0.2-cmmn, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =0.0.2, =0.7.0, =0.5.0, =0.7.1, =0.7.4 Source cves: CVE-2023-52079 Source advisory: OSV:GHSA-7HPJ-7HHX-2FGX...
CVE-2023-52079
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...
CVE-2023-52079
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...
Information disclosure
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...
CVE-2023-52079 Conversion of property names to strings can trigger infinite recursion
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...
CVE-2023-52079 Conversion of property names to strings can trigger infinite recursion
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...
CVE-2023-52079 Conversion of property names to strings can trigger infinite recursion
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...
CVE-2023-52079
CVE-2023-52079 concerns msgpackr (NodeJS/JavaScript) before version 1.10.1. When decoding user-supplied MessagePack messages, the decoder can get stuck in a loop, tying up threads. The issue is associated with how certain extensions (e.g., 0x70) may be processed; a mitigation path involves replac...
PT-2023-9033 · Msgpackr +1 · Msgpack +1
Name of the Vulnerable Software and Affected Versions: msgpackr versions prior to 1.10.1 Description: The issue is related to the decoding of user-supplied MessagePack messages, which can cause threads to become stuck in a loop. This can be triggered by crafting specific messages. Exploits seem t...