VulnerableCode Package Details - pkg:maven/org.msgpack/msgpack-core@0.9.11

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mnu1-xpgp-6kgd	MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.	CVE-2026-21452 GHSA-cw39-r4h6-8j3x

Vulnerability

Summary

Aliases

VCID-mnu1-xpgp-6kgd

MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.

CVE-2026-21452
GHSA-cw39-r4h6-8j3x

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:54:45.836687+00:00	GHSA Importer	Fixing	VCID-mnu1-xpgp-6kgd	https://github.com/advisories/GHSA-cw39-r4h6-8j3x	38.6.0
2026-06-04T16:54:12.750130+00:00	GithubOSV Importer	Fixing	VCID-mnu1-xpgp-6kgd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-cw39-r4h6-8j3x/GHSA-cw39-r4h6-8j3x.json	38.6.0
2026-06-02T04:49:22.721365+00:00	GitLab Importer	Fixing	VCID-mnu1-xpgp-6kgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.msgpack/msgpack-core/CVE-2026-21452.yml	38.6.0