AIKIDO-2026-93161
MessagePack is vulnerable to Out-of-bounds Read
82
High Risk
This Affects:
MessagePackTL;DR
The optional LZ4 decompression path for Lz4Block and Lz4BlockArray used a fast decoder that did not bound reads against the compressed input length. Crafted LZ4 token and length fields in untrusted MessagePack payloads could drive out-of-bounds reads from the source buffer and terminate the process with an AccessViolationException, with limited memory disclosure possible before failure. The fix threads the compressed input length through the decoder and rejects malformed blocks before unsafe native reads.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and use LZ4 compression when deserializing untrusted MessagePack payloads.
Background info
MessagePack is vulnerable to Out-of-bounds Read in versions 0.0.1 - 2.5.300 and 3.0.0 - 3.1.6.
How to fix this
Upgrade the MessagePack library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant