- Reported
-
- Issued
-
- Package
-
rmpv
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#memory
#dos
#msgpack
#serialization
#deserialization
- Aliases
-
- References
-
- Patched
-
Description
Affected versions of this crate pre-allocate memory on deserializing raw
buffers without checking whether there is sufficient data available.
This allows an attacker to do denial-of-service attacks by sending small
msgpack messages that allocate gigabytes of memory.
Advisory available under CC0-1.0
license.