CVE-2023-52079 MEDIUM

CVE-2023-52079: Conversion of property names to strings can trigger infinite recursion

Vendor Kriszyp
Product msgpackr
Weakness CWE-674
Published December 28, 2023
Last update August 27, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

Key dates

02Disclosure timeline

December 28, 2023 CVE published
August 27, 2024 Record updated