msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1.
Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.
CVE-2023-52079 - Medium Severity Vulnerability
Library home page: https://registry.npmjs.org/msgpackr/-/msgpackr-1.9.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - gatsby-5.13.7.tgz (Root Library) - lmdb-2.5.3.tgz - :x: **msgpackr-1.9.7.tgz** (Vulnerable Library)
Found in HEAD commit: 50f91e8f19edfee259e1f0672ab3b00104b33d47
Found in base branch: master
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.
Publish Date: 2023-12-28
URL: CVE-2023-52079
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52079
Release Date: 2023-12-28
Fix Resolution: msgpackr - 1.10.1
Step up your Open Source Security Game with Mend here