GHSA-6v7p-g79w-8964: MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error

June 19, 2026

If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV.

If the Unpacker is used repeatedly to unpack untrusted input from external sources, it may be vulnerable to a DoS attack.

References

github.com/advisories/GHSA-6v7p-g79w-8964
github.com/msgpack/msgpack-python/commit/2c56ddb5d0025ed481d962c0f5d62d19dec7476d
github.com/msgpack/msgpack-python/releases/tag/v1.2.1
github.com/msgpack/msgpack-python/security/advisories/GHSA-6v7p-g79w-8964

Code Behaviors & Features

Detect and mitigate GHSA-6v7p-g79w-8964 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →