GHSA-7HPJ-7HHX-2FGX

Vulnerability from github – Published: 2023-12-28 21:16 – Updated: 2024-01-10 18:34
VLAI?
Summary
msgpackr's conversion of property names to strings can trigger infinite recursion
Details

Impact

When decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop.

Patches

The fix is available in v1.10.1

Workarounds

Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

References

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpackr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-52079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-28T21:16:20Z",
    "nvd_published_at": "2023-12-28T16:16:01Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop.\n\n### Patches\nThe fix is available in v1.10.1\n\n### Workarounds\nExploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.\n\n### References",
  "id": "GHSA-7hpj-7hhx-2fgx",
  "modified": "2024-01-10T18:34:21Z",
  "published": "2023-12-28T21:16:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52079"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kriszyp/msgpackr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "msgpackr\u0027s conversion of property names to strings can trigger infinite recursion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.