Ninevra

**Name of the Vulnerable Software and Affected Versions** msgpack5 versions prior to 3.6.1 msgpack5 versions prior to 4.5.1 msgpack5 versions prior to 5.2.1 **Description** The issue occurs when msgpack5 decodes a map containing a key ` proto `, assigning the decoded value to ` proto `. This allows an attacker to submit crafted MessagePack data, producing values that appear to be of other types, with unexpected prototype properties and methods, or throwing unexpected exceptions. The decoded value's prototype is affected, and it can only be set to msgpack5 values. There is no effect on the global prototype. **Recommendations** For versions prior to 3.6.1, update to version 3.6.1 or later. For versions prior to 4.5.1, update to version 4.5.1 or later. For versions prior to 5.2.1, update to version 5.2.1 or later. As a temporary workaround, always validate incoming data after parsing before doing any processing.