CVE-2023-52079: Improper Check for Unusual or Exceptional Conditions

December 28, 2023 (updated January 4, 2024)

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

References

github.com/advisories/GHSA-7hpj-7hhx-2fgx
github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602
github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx
nvd.nist.gov/vuln/detail/CVE-2023-52079

Detect and mitigate CVE-2023-52079 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →