SCA: security update for msgpack5 (GHSA-gmjw-49p4-pcfm)

high Tenable Self-Hosted Container Security Plugin ID 415208

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1,
4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a
key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor
property for the receiver's prototype. If the value corresponding to the key __proto__ decodes to an
object or null, msgpack5 sets the decoded object's prototype to that value. An attacker who can submit
crafted MessagePack data to a service can use this to produce values that appear to be of other types; may
have unexpected prototype properties and methods (for example length, numeric properties, and push et al
if __proto__'s value decodes to an Array); and/or may throw unexpected exceptions when used (for example
if the __proto__ value decodes to a Map or Date). Other unexpected behavior might be produced for other
types. There is no effect on the global prototype. This "prototype poisoning" is sort of a very limited
inversion of a prototype pollution attack. Only the decoded value's prototype is affected, and it can only
be set to msgpack5 values (though if the victim makes use of custom codecs, anything could be a msgpack5
value). We have not found a way to escalate this to true prototype pollution (absent other bugs in the
consumer's code). This has been fixed in msgpack5 version 3.6.1, 4.5.1, and 5.2.1. See the referenced
GitHub Security Advisory for an example and more details. (CVE-2021-21368)

See Also

https://github.com/advisories/GHSA-gmjw-49p4-pcfm

Plugin Details

Severity: High

ID: 415208

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-21368

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/12/2021

Vulnerability Publication Date: 3/12/2021

Reference Information

CVE: CVE-2021-21368