Miggo Logo
Miggo Vulnerability Database
CVE-2023-52079

CVE-2023-52079: msgpackr's conversion of property names to strings can trigger infinite recursion

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-52079
GHSA ID
GHSA-7hpj-7hhx-2fgx
EPSS Score
0.55893%
CWE
CWE-674
Published
12/28/2023
Updated
1/10/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
msgpackrnpm< 1.10.11.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe toString() conversions in two locations:

  1. In readKey(), where read().toString() could process malicious objects with recursive toString() implementations
  2. In recordDefinition's structure mapping, where property.toString() allowed arbitrary object conversion Both were patched by replacing toString() with asSafeString() which restricts input types. The commit diff shows these critical replacements, confirming these functions as the attack surface for uncontrolled recursion via crafted property names.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n ***o*in* us*r suppli** M*ss***P**k m*ss***s, us*rs **n tri***r stu*k t*r***s *y *r**tin* m*ss***s t**t k**p t** ***o**r stu*k in * loop. ### P*t***s T** *ix is *v*il**l* in v*.**.* ### Work*roun*s *xploits s**m to r*quir* stru*tur**

Reasoning

T** vuln*r**ility st*ms *rom uns*** toStrin*() *onv*rsions in two lo**tions: *. In r***K*y(), w**r* r***().toStrin*() *oul* pro**ss m*li*ious o*j**ts wit* r**ursiv* toStrin*() impl*m*nt*tions *. In r**or****inition's stru*tur* m*ppin*, w**r* prop*rty