dotnet · MessagePackHeads-up
MessagePack-CSharp LZ4 Decompression Bomb Vulnerability
MessagePack-CSharp's LZ4 decompression routines allocate output buffers based on attacker-controlled uncompressed lengths before validation, enabling a decompre
What changed
MessagePack-CSharp's LZ4 decompression routines allocate output buffers based on attacker-controlled uncompressed lengths before validation, enabling a decompression bomb attack.
Who it affects
Applications using MessagePack-CSharp with MessagePackCompression.Lz4Block or Lz4BlockArray enabled, especially when deserializing untrusted payloads.
What to do today
Upgrade MessagePack to the patched version once released; until then, disable LZ4 compression for untrusted inputs or enforce strict size limits externally.
The trail
Collected→
Audited→
Written→
Published