GHSA-mcrf-7hf9-f6q5

Suggest an improvement
Source
https://github.com/advisories/GHSA-mcrf-7hf9-f6q5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-mcrf-7hf9-f6q5/GHSA-mcrf-7hf9-f6q5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mcrf-7hf9-f6q5
Aliases
Published
2021-08-25T21:00:09Z
Modified
2023-11-08T04:21:02.280202Z
Summary
Unchecked vector pre-allocation
Details

Affected versions of this crate pre-allocate memory on deserializing raw buffers without checking whether there is sufficient data available. This allows an attacker to do denial-of-service attacks by sending small msgpack messages that allocate gigabytes of memory.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2021-08-06T19:28:40Z",
    "severity": "MODERATE"
}
References

Affected packages

crates.io / rmpv

Package

Name
rmpv
View open source insights on deps.dev
Purl
pkg:cargo/rmpv

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.2