[BUG] High Security Issue: msgpackr's Conversion of Property Names to Strings Can Trigger Infinite Recursion

[velineurce]

What happened?

Hey Plasmo team.

I've tried to contact you via security@plasmo.com but the email seems to not work.

We've identified a high-security issue in your repository related to msgpackr. The vulnerability arises from msgpackr's conversion of property names to strings, which can trigger infinite recursion.

Details:

Severity: High (8.6/10) Affected Version: msgpackr@1.8.5 Fixed Version: 1.10.1 Conflicting Dependency: plasmo@0.88.0 requires msgpackr@1.8.5 via lmdb@2.7.11 Dependabot is unable to update msgpackr to a non-vulnerable version due to this dependency conflict.

CVSS Base Metrics:

Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: None Please consider updating the dependencies to address this issue.

Thanks!

Version

Latest

What OS are you seeing the problem on?

No response

What browsers are you seeing the problem on?

No response

Relevant log output

No response

(OPTIONAL) Contribution

• n/a I would like to fix this BUG via a PR

Code of Conduct

• [X] I agree to follow this project's Code of Conduct
• [X] I checked the current issues for duplicate problems.

[june07]

Any feedback on this one?!