{ "id": "CVE-2023-52079", "sourceIdentifier": "security-advisories@github.com", "published": "2023-12-28T16:16:01.863", "lastModified": "2024-01-04T19:24:22.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. \nExploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue." }, { "lang": "es", "value": "msgpackr es una implementaci\u00f3n r\u00e1pida de MessagePack NodeJS/JavaScript. Antes de la versi\u00f3n 1.10.1, al decodificar mensajes MessagePack proporcionados por el usuario, los usuarios pod\u00edan activar hilos atascados creando mensajes que mantuvieran el decodificador atascado en un bucle. La soluci\u00f3n est\u00e1 disponible en v1.10.1. Las explotaciones parecen requerir una clonaci\u00f3n estructurada; reemplazar la extensi\u00f3n 0x70 con la suya propia (que arroja un error o hace algo m\u00e1s que una referencia recursiva) deber\u00eda mitigar el problema." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.8, "impactScore": 3.6 }, { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.2, "impactScore": 4.0 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-674" } ] }, { "source": "security-advisories@github.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-674" }, { "lang": "en", "value": "CWE-754" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:kriszyp:msgpackr:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.10.1", "matchCriteriaId": "A069FF92-55B5-4F7B-B10E-36BF23E6185A" } ] } ] } ], "references": [ { "url": "https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602", "source": "security-advisories@github.com", "tags": [ "Patch" ] }, { "url": "https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx", "source": "security-advisories@github.com", "tags": [ "Vendor Advisory" ] } ] }