CVE-2021-21368

Name of the Vulnerable Software and Affected Versions msgpack5 versions prior to 3.6.1 msgpack5 versions prior to 4.5.1 msgpack5 versions prior to 5.2.1

Description The issue occurs when msgpack5 decodes a map containing a key proto, assigning the decoded value to proto. This allows an attacker to submit crafted MessagePack data, producing values that appear to be of other types, with unexpected prototype properties and methods, or throwing unexpected exceptions. The decoded value's prototype is affected, and it can only be set to msgpack5 values. There is no effect on the global prototype.

Recommendations For versions prior to 3.6.1, update to version 3.6.1 or later. For versions prior to 4.5.1, update to version 4.5.1 or later. For versions prior to 5.2.1, update to version 5.2.1 or later. As a temporary workaround, always validate incoming data after parsing before doing any processing.