GHSA-hv8m-jj95-wg3x
MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input
Details
### Impact
A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes `Lz4Block` and `Lz4BlockArray`.
The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an `AccessViolationException` during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure.
This issue affects applications that deserialize untrusted data while LZ4 compression is enabled.
### Patches
The v2 versions are patched as of 2.5.301. The v3 versions are patched as of 3.1.7.
### Workarounds
Instead of upgrading, an application may take the following precautions:
1. Disable LZ4 compression for untrusted input paths (`Lz4Block`, `Lz4BlockArray`). 2. Only accept compressed payloads from strongly trusted producers. 3. Isolate deserialization in a separate process/container with restart supervision to limit availability impact.
### Resources
- MESSAGEPACKCSHARP-010
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.5.301 dotnet add package MessagePack --version 2.5.301 3.0.214-rc.1 Fixed in: 3.1.7 dotnet add package MessagePack --version 3.1.7