[NEW] CVE-2026-38357: msgpack-lite Unbounded Recursion DoS

[tldhs1144]

Summary

Submitting a new advisory for msgpack-lite (npm), an unmaintained MessagePack decoder package.

• CVE: CVE-2026-38357 (assigned by MITRE on 2026-05-06)
• Package: msgpack-lite (npm, ~330k weekly downloads)
• Affected: all versions, including 0.1.26 (latest)
• Severity: CVSS 3.1 — 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
• CWE: CWE-674 (Uncontrolled Recursion)
• Patch: None — package is unmaintained since 2016

Why this is being submitted as a PR (not via repo Security tab)

The upstream repository kawanet/msgpack-lite has not had commits since 2016 and the maintainer has not enabled private vulnerability reporting. This community PR is the path of last resort.

What I'm asking from the curation team

• Assign a real GHSA-xxxx-xxxx-xxxx ID to replace msgpack-lite-cve-2026-38357
• Move/rename the directory and filename to match the assigned ID
• Add to the github-reviewed index so npm audit and Dependabot users are notified

Vulnerability summary

The decoder dispatches recursively on nested MessagePack types (fixarray 0x91, fixmap 0x80–0x8F) with no depth tracking. A ~5 KB buffer of repeated 0x91 bytes terminated by 0xc0 (nil) reliably triggers RangeError: Maximum call stack size exceeded on Node.js v18+.

Full details, PoC, and mitigation guidance are in the JSON details field.

Researcher

Sion Park (tldhs1144@gmail.com)

This finding is from a 2026-03 audit campaign of npm serialization libraries. Two related CVEs assigned to the same researcher are submitted in parallel PRs:

• CVE-2026-38358 (xlsx CDATA recursion)
• CVE-2026-38359 (xlsx ZIP header memory allocation)

Happy to address any curator feedback on schema, references, or wording.