msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-28T15:20:20.728Z

Updated: 2024-08-27T14:59:13.839Z

Reserved: 2023-12-26T12:53:20.670Z

Link: CVE-2023-52079

cve-icon Vulnrichment

Updated: 2024-08-02T22:48:12.173Z

cve-icon NVD

Status : Modified

Published: 2023-12-28T16:16:01.863

Modified: 2024-11-21T08:39:07.520

Link: CVE-2023-52079

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-12-28T00:00:00Z

Links: CVE-2023-52079 - Bugzilla