dotnet · MessagePackCritical
MessagePack for .NET: LZ4 decompression out-of-bounds read vulnerability
A vulnerability in the LZ4 decompression path of MessagePack for .
What changed
A vulnerability in the LZ4 decompression path of MessagePack for .NET allows out-of-bounds reads via crafted payloads, leading to denial of service and potential memory disclosure.
Who it affects
Applications using MessagePack with LZ4 compression (Lz4Block or Lz4BlockArray) that deserialize untrusted data.
What to do today
Upgrade to patched versions: v2 to 2.5.301 or later, v3 to 3.1.7 or later. If unable to upgrade, disable LZ4 compression for untrusted inputs.
The trail
Collected→
Audited→
Written→
Published