CVE-2020-5234

MEDIUM

Messagepack < 1.9.3 - Out-of-Bounds Write

Title source: rule

Description

MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.

References (4)

Core 4

Core References

Third Party Advisory x_refsource_confirm

https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf

Patch, Third Party Advisory x_refsource_misc

https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02

View Patch ZIP pw:eip

Issue Tracking x_refsource_misc

https://github.com/neuecc/MessagePack-CSharp/issues/810

Patch x_refsource_misc

https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007

View Patch ZIP pw:eip

Scores

CVSS v3 4.8

EPSS 0.0055

EPSS Percentile 68.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-121 CWE-787

Status published

Products (13)

messagepack/messagepack 2.0.94 alpha

messagepack/messagepack 2.0.110 alpha

messagepack/messagepack 2.0.119 beta

messagepack/messagepack 2.0.123 beta

messagepack/messagepack 2.0.204 beta

messagepack/messagepack 2.0.270 rc

messagepack/messagepack 2.0.299 rc

messagepack/messagepack < 1.9.3

nuget/MessagePack 0 - 1.9.11NuGet

nuget/MessagePack.ImmutableCollection 0 - 1.9.11NuGet

... and 3 more

Published Jan 31, 2020

Tracked Since Feb 18, 2026