MessagePack for Java Denial-of-Service Vulnerability via Malicious EXT32 Objects

A denial-of-service vulnerability has been identified in MessagePack for Java, specifically in versions prior to 0.9.11. The issue arises during the deserialization of .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While the library initially parses extension headers lazily, it later relies on the declared payload length when processing the extension data. This can lead to unbounded heap allocation, causing JVM heap exhaustion, process termination, or service unavailability. The vulnerability can be exploited remotely in various real-world environments that use MessagePack for Java and accept .msgpack files.

Impact

Exploitation of this vulnerability leads to unbounded memory allocation, causing rapid heap exhaustion and service unavailability. In a Java environment, this typically results in a OutOfMemoryError, causing the process to terminate. Such an impact can disrupt applications and services that rely on Java-based infrastructure, potentially leading to cascading failures in production systems.

Reproduction

The vulnerability can be reproduced by creating a .msgpack file with an EXT32 header that declares a large payload size, such as 100MB, but contains only a tiny amount of actual data. This file can then be deserialized using MessagePack for Java, triggering the vulnerability by causing the library to allocate memory based on the declared length without any safeguards, leading to a OutOfMemoryError.

Remediation

Users can upgrade to MessagePack for Java version 0.9.11 or later, where this vulnerability has been addressed by implementing gradual memory allocation for large payloads, particularly for EXT32 and BIN32 data types.