CVE-2024-48924: MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

October 17, 2024 (updated October 18, 2024)

When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialized.

References

github.com/MessagePack-CSharp/MessagePack-CSharp
github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-4qm4-8hg2-g2xm
github.com/advisories/GHSA-4qm4-8hg2-g2xm
nvd.nist.gov/vuln/detail/CVE-2024-48924

Code Behaviors & Features

Detect and mitigate CVE-2024-48924 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →