High severityNVD Advisory· Published Dec 28, 2023· Updated Aug 27, 2024
Conversion of property names to strings can trigger infinite recursion
CVE-2023-52079
Description
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
msgpackrnpm | < 1.10.1 | 1.10.1 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-7hpj-7hhx-2fgxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-52079ghsaADVISORY
- github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602ghsax_refsource_MISCWEB
- github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.