CVE-2023-52079

CVSS V2 None CVSS V3 None

Description

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

Overview

CVE ID
CVE-2023-52079

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-12-28T15:20:20.728Z

Last Modified Date
2023-12-28T15:20:20.728Z

Weakness Enumerations

CWE	URL
CWE-674	http://cwe.mitre.org/data/definitions/674.html
CWE-754	http://cwe.mitre.org/data/definitions/754.html

References

Reference URL	Reference Tags
https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx	x_refsource_CONFIRM
https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-52079
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52079

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 14:48:15				Added to TrackCVE