{"id":"RUSTSEC-2017-0006","summary":"Unchecked vector pre-allocation","details":"Affected versions of this crate pre-allocate memory on deserializing raw\nbuffers without checking whether there is sufficient data available.\n\nThis allows an attacker to do denial-of-service attacks by sending small\nmsgpack messages that allocate gigabytes of memory.","aliases":["GHSA-mcrf-7hf9-f6q5"],"modified":"2023-11-08T04:21:02.280202Z","published":"2017-11-21T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rmpv"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2017-0006.html"},{"type":"REPORT","url":"https://github.com/3Hren/msgpack-rust/issues/151"}],"affected":[{"package":{"name":"rmpv","ecosystem":"crates.io","purl":"pkg:cargo/rmpv"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.4.2"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":[],"arch":[]},"affected_functions":null},"database_specific":{"cvss":null,"categories":["denial-of-service"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2017-0006.json","informational":null}}],"schema_version":"1.7.3"}