--- tags: - security - proof-of-concept - msgpack license: mit --- # MessagePack array32 repeated-empty-string materialization DoS PoC This repository contains a benign security research PoC for a `.msgpack` artifact that drives large in-memory materialization during `msgpack.unpackb(..., raw=False)`. Files: - `control_bin32_same_size.msgpack` - `malicious_array32_empty_strings_20000000.msgpack` - `reproduce.py` Observed behavior: - control artifact: - parses successfully as one `bytes` object - malicious artifact: - same size as control - parses successfully as a list of `20,000,000` empty strings - materially increases peak RSS during normal unpack Reproduction: ```bash python3 build_poc.py python3 reproduce.py ```