| tags: | |
| - security | |
| - proof-of-concept | |
| - messagepack | |
| - denial-of-service | |
| # MessagePack nested-array StackError PoC | |
| This repository hosts a benign security research PoC for a MessagePack parser denial of service. | |
| ## Files | |
| - `messagepack-nested-5000.msgpack` | |
| ## Reproduction | |
| Use latest `msgpack 1.2.1`: | |
| ```bash | |
| python3 -m venv .venv-msgpack-121 | |
| . .venv-msgpack-121/bin/activate | |
| pip install msgpack==1.2.1 | |
| python - <<'PY' | |
| import msgpack | |
| data = open("messagepack-nested-5000.msgpack", "rb").read() | |
| msgpack.unpackb(data, raw=False) | |
| PY | |
| ``` | |
| Observed result: | |
| - `StackError` | |
| ## Safety note | |
| This artifact is a non-executable malformed model-file PoC for parser-stress testing only. | |