AIKIDO-2024-10518
MessagePack is vulnerable to Use of Weak Hash
30
Low Risk
This Affects:
MessagePackTL;DR
Affected versions of this package do not use a hashing function resistant to hash collision attacks. When deserializing data from untrusted sources, this can introduce security vulnerabilities, including arbitrary code execution or denial of service (DoS) attacks. Untrusted data may originate from external networks, be tampered with during transmission over unauthenticated connections, or come from compromised local storage. While MessagePack does not claim to authenticate or make data tamper-resistant, making this a low-severity vulnerability, updating to a more secure algorithm is recommended.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
MessagePack is vulnerable to Use of Weak Hash in versions 1.0.0 - 2.5.172 and 2.6.95-alpha - 3.0.238-rc.1.
How to fix this
Upgrade the MessagePack library to the patch version.
Links
Fix Commits
github.com/MessagePack-CSharp/MessagePack-CSharp/commit/8e599af0798b45008f8b293a7f233e4878f11ed5github.com/MessagePack-CSharp/MessagePack-CSharp/commit/f8d40b3ad0be01c6e56cb51ecea81f59d98c192d
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant