Threats Tagged 'nuget'

MessagePack-CSharp's UnsafeBlitFormatterBase<T>.Deserialize method in Unity blit resolvers improperly allocates memory based on an attacker-controlled byte length without validating it against the actual payload size. This can lead to excessive memory allocation and potential out-of-memory exceptions or process termination on memory-constrained platforms when deserializing untrusted data. The vulnerability affects the MessagePack.UnityClient package and specific resolvers prior to patched versions. The issue is mitigated by upgrading to patched versions or avoiding use of vulnerable resolvers with untrusted input.

MessagePack-CSharp contains a vulnerability in its multi-dimensional array formatters where dimension lengths are read from untrusted payloads and used to allocate arrays before validating that the total element count matches the encoded data. This can lead to excessive memory allocation and potential out-of-memory conditions when deserializing untrusted data into multi-dimensional arrays such as T[,], T[,,], or T[,,,]. The issue affects versions prior to 2.5.301 and versions 3.0 up to but not including 3.1.7. Fixes are prepared but not yet released. Until patched, users should avoid deserializing untrusted payloads into multi-dimensional arrays and prefer safer data shapes.

MessagePack-CSharp's InterfaceLookupFormatter<TKey,TElement> constructs an internal dictionary using the default equality comparer instead of the security-aware comparer when deserializing ILookup<TKey,TElement>. This omission allows an attacker to craft payloads with colliding keys that degrade dictionary insertion performance, causing a CPU denial of service even when the application opts into untrusted-data security settings. The vulnerability affects versions of MessagePack prior to 2.5.301 and versions 3.0 up to but not including 3.1.7.

MessagePack-CSharp's typeless deserialization feature has a vulnerability where type restrictions do not recursively inspect array element types or generic type arguments. This allows an attacker to bypass outer-type blocklist checks by wrapping disallowed types inside arrays or generic containers. The issue affects applications that deserialize untrusted data using typeless serialization APIs. Fixes are available in versions 2.5.301 and 3.1.7. Users are advised to upgrade and avoid typeless deserialization of untrusted data or use explicit recursive allowlists.

A heap buffer underwrite vulnerability exists in ImageMagick's Floyd-Steinberg depth dithering method when processing images with masks. This flaw can cause a negative heap buffer overwrite, potentially leading to application instability or crashes. The vulnerability affects Magick.NET-Q16-AnyCPU versions prior to 14.14.0. No known exploits are reported in the wild. The issue is classified under CWE-787 (Out-of-bounds Write).

An infinite loop vulnerability exists in the subimage-search operation of Magick.NET-Q16-AnyCPU when processing a crafted image. This flaw can cause the application to hang or become unresponsive due to excessive resource consumption. The issue affects versions prior to 14.14.0.

A stack overflow vulnerability exists in the MVG decoder of Magick.NET-Q16-AnyCPU due to a missing depth or visited-set check when processing crafted MVG files. This flaw could cause the application to crash or behave unexpectedly. The vulnerability affects versions prior to 14.14.0.

A heap buffer over-write vulnerability exists in the MAT decoder of ImageMagick on 32-bit systems due to a missing check of a return value. This flaw affects Magick.NET-Q16-AnyCPU versions prior to 14.14.0. The vulnerability does not impact confidentiality or integrity but can cause availability issues by crashing the application or causing denial of service. No known exploits are reported in the wild. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow).

A vulnerability in the ImageMagick DCM decoder allows bypassing a policy check, resulting in images with invalid dimensions. This flaw can cause crashes in subsequent image processing operations. The issue affects Magick.NET-Q16-AnyCPU versions prior to 14.14.0. No known exploits are reported in the wild. The vulnerability is classified as high severity due to its potential to cause denial of service via application crashes.

A vulnerability in Magick.NET-Q16-AnyCPU prior to version 14.14.0 allows a policy bypass via incorrect filename parsing. This flaw enables reading of files disallowed by security policies through the use of symbolic links. The issue can lead to unauthorized disclosure of sensitive information without requiring user interaction.