VulnerableCode Package Details - pkg:maven/org.msgpack/msgpack-core@0.8.10

Search for packages

Vulnerability	Summary	Fixed by
VCID-mnu1-xpgp-6kgd Aliases: CVE-2026-21452 GHSA-cw39-r4h6-8j3x	MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.	0.9.11 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mnu1-xpgp-6kgd
Aliases:
CVE-2026-21452
GHSA-cw39-r4h6-8j3x

MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.

0.9.11
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:35:03.830725+00:00	GitLab Importer	Affected by	VCID-mnu1-xpgp-6kgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.msgpack/msgpack-core/CVE-2026-21452.yml	38.6.0

2026-06-06T06:35:03.830725+00:00

GitLab Importer

Affected by

VCID-mnu1-xpgp-6kgd

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.msgpack/msgpack-core/CVE-2026-21452.yml

38.6.0

Next non-vulnerable version	0.9.11
Latest non-vulnerable version	0.9.11
Risk	4.0