CVE-2021-29508: Deserialization of Untrusted Data

May 11, 2021 (updated May 25, 2021)

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019.

References

github.com/AsynkronIT/Wire/security/advisories/GHSA-hpw7-3vq3-mmv6
nvd.nist.gov/vuln/detail/CVE-2021-29508
www.nuget.org/packages/Wire/

Code Behaviors & Features

Detect and mitigate CVE-2021-29508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →