Home > Vulnerability Database > CVE-2023-52079

Mend.io Vulnerability Database

CVE-2023-52079

Good to know:

Date: December 28, 2023

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

Language: JS

Severity Score

6.8

Related Resources (5)

Url: https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-52079

Url: https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602

Url: https://github.com/kriszyp/msgpackr

Url: https://www.mend.io/vulnerability-database/CVE-2023-52079

Severity Score

6.8

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version msgpackr - 1.10.1

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-52079

Good to know:

Date: December 28, 2023

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?