CVE-2020-5234

Name of the Vulnerable Software and Affected Versions MessagePack for C# and Unity versions 1.9.3 through 1.9.10 MessagePack for C# and Unity versions 2.1.80 through 2.1.89

Description The issue allows untrusted data to lead to a denial of service attack due to hash collisions and stack overflow when deserializing messagepack data from an untrusted source. This can result in large CPU consumption or the deserializing process crashing.

Recommendations For MessagePack for C# and Unity versions 1.9.3 through 1.9.10, upgrade to any 1.9.x version, put MessagePack into a more secure mode with MessagePackSecurity.Active = MessagePackSecurity.UntrustedData;, and regenerate any code produced by mpc with the patched version. For MessagePack for C# and Unity versions 2.1.80 through 2.1.89, upgrade to any 2.1.x or later version, put MessagePack into a more secure mode by configuring MessagePackSerializerOptions.Security property, and regenerate any code produced by mpc with the patched version. As a temporary workaround, consider avoiding the built-in formatters entirely in favor of reading messagepack primitive data directly or relying on carefully written custom formatters.