Hyperps

**Name of the Vulnerable Software and Affected Versions** MessagePack for Java versions prior to 0.9.11 **Description** A denial-of-service issue exists in MessagePack for Java when processing .msgpack files. Specifically, versions before 0.9.11 are susceptible to unbounded heap allocation when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. The library trusts the declared EXT payload length during materialization, attempting to allocate a byte array of that size without any upper bound. A small, crafted .msgpack file can trigger JVM heap exhaustion, leading to process termination or service unavailability. This issue is triggered during model loading and deserialization, making it a model format issue suitable for remote exploitation. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely. **Recommendations** Update MessagePack for Java to version 0.9.11 or later.