MessagePack is vulnerable to denial of service. Untrusted data and deeply nested object graphs can lead to hash collisions and stack overflow that results in an application crash.
CPE | Name | Operator | Version |
---|---|---|---|
microsoft.aspnetcore.signalr.protocols.messagepack | le | 3.1.20 | |
messagepack | le | 1.9.3 | |
messagepack | le | 2.1.80 |
github.com/advisories/GHSA-7q36-4xx7-xcxf
github.com/aspnet/Announcements/issues/405
github.com/dotnet/aspnetcore/issues/18716
github.com/dotnet/aspnetcore/issues/18717
github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02
github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007
github.com/neuecc/MessagePack-CSharp/issues/810
github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf