CVE-2021-45690

Vulnerability

The messagepack-rs crate (versions through 2021-01-26) contains a memory-safety vulnerability in the deserialize_binary function and three other deserialization functions (deserialize_string, deserialize_string_, and deserialize_binary_). These functions allocate a Vec with Vec::with_capacity(size) and then call unsafe { buf.set_len(size); } without initializing the buffer. The subsequent read_exact call may not fully fill the buffer if the Read implementation returns fewer bytes than size, leaving uninitialized memory exposed to the caller [1][2][3].

Exploitation

An attacker who can control the serialized data processed by an application using messagepack-rs can craft a message that causes the deserialization functions to read from uninitialized memory. The attacker does not need authentication or special privileges; they only need to supply a malicious MessagePack payload to a vulnerable endpoint. The uninitialized memory may contain residual data from previous heap allocations, which the attacker can then observe through the deserialized output [2][3].

Impact

Successful exploitation results in information disclosure: the attacker can read uninitialized heap memory, potentially leaking sensitive data such as cryptographic keys, passwords, or other confidential information that was previously stored in the same memory region. The vulnerability does not allow code execution or privilege escalation directly, but the leaked data could be used in further attacks [1][2][3].

Mitigation

As of the latest advisory, no patched version of messagepack-rs exists [3]. The crate appears to be unmaintained (last commit in 2021) [4]. Users should avoid using this crate in production and migrate to alternative MessagePack implementations for Rust, such as rmp-serde or rmpv. No workaround is available within the crate itself [3].