CVE-2023-52079

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602	Patch
https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kriszyp:msgpackr:*:*:*:*:*:node.js:*:*

History

04 Jan 2024, 19:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CWE	~~CWE-754~~
First Time		Kriszyp Kriszyp msgpackr
CPE		cpe:2.3:a:kriszyp:msgpackr::::::node.js::*
References	~~() https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx -~~	() https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx - Vendor Advisory
References	~~() https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602 -~~	() https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602 - Patch

28 Dec 2023, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-28 16:16

Updated : 2024-02-28 20:54

NVD link : CVE-2023-52079

Mitre link : CVE-2023-52079

CVE.ORG link : CVE-2023-52079

JSON object : View

Products Affected

kriszyp

msgpackr

CWE

CWE-674

Uncontrolled Recursion

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2023-52079", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.2}]}, "published": "2023-12-28T16:16:01.863", "references": [{"url": "https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-674"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}, {"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. \nExploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue."}, {"lang": "es", "value": "msgpackr es una implementaci\u00f3n r\u00e1pida de MessagePack NodeJS/JavaScript. Antes de la versi\u00f3n 1.10.1, al decodificar mensajes MessagePack proporcionados por el usuario, los usuarios pod\u00edan activar hilos atascados creando mensajes que mantuvieran el decodificador atascado en un bucle. La soluci\u00f3n est\u00e1 disponible en v1.10.1. Las explotaciones parecen requerir una clonaci\u00f3n estructurada; reemplazar la extensi\u00f3n 0x70 con la suya propia (que arroja un error o hace algo m\u00e1s que una referencia recursiva) deber\u00eda mitigar el problema."}], "lastModified": "2024-01-04T19:24:22.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kriszyp:msgpackr:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A069FF92-55B5-4F7B-B10E-36BF23E6185A", "versionEndExcluding": "1.10.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}