Describe the bug
decode() builds a JavaScript array from the declared MessagePack array count before reading or validating any elements against the remaining input (msgpack.js around line 49, new Array(length)). A 5-byte message declaring a large array count exhausts the V8 heap and aborts the Node process with a fatal out-of-memory error that cannot be caught with try/catch, even on the default heap.
To reproduce
const msgpack = require('msgpack-js');
// MessagePack array32 (0xdd) with a 4-byte count of 112,500,000
msgpack.decode(Buffer.from('dd06b49d20', 'hex'));
// => fatal V8 "JavaScript heap out of memory" abort (process exits 134)Verified 2026-06-16 on msgpack-js 0.3.0 with default Node settings (no flags, heap limit ~4288 MB), Node 24: the process aborts (exit 134) and a try/catch around decode() does not prevent it.
Impact
A service decoding untrusted MessagePack with this library can be crashed by a few-byte message, an unauthenticated remote denial of service. The failure is a V8 out-of-memory abort, so application-level error handling does not contain it.
Note on maintenance
This library appears unmaintained (no release since 2013). Users should migrate to a maintained MessagePack library such as @msgpack/msgpack, which validates the declared size against available data and is not affected. Filing publicly to warn users; no fix is expected here.
Suggested fix (for reference / forks)
Do not pre-allocate from the declared count; bound the initial capacity to the remaining input (an element is at least 1 byte, so the count cannot exceed the remaining bytes) or build the array incrementally.
Found via boundary-value testing as part of my academic research.
Describe the bug
decode() builds a JavaScript array from the declared MessagePack array count before reading or validating any elements against the remaining input (msgpack.js around line 49, new Array(length)). A 5-byte message declaring a large array count exhausts the V8 heap and aborts the Node process with a fatal out-of-memory error that cannot be caught with try/catch, even on the default heap.
To reproduce
Verified 2026-06-16 on msgpack-js 0.3.0 with default Node settings (no flags, heap limit ~4288 MB), Node 24: the process aborts (exit 134) and a try/catch around decode() does not prevent it.
Impact
A service decoding untrusted MessagePack with this library can be crashed by a few-byte message, an unauthenticated remote denial of service. The failure is a V8 out-of-memory abort, so application-level error handling does not contain it.
Note on maintenance
This library appears unmaintained (no release since 2013). Users should migrate to a maintained MessagePack library such as @msgpack/msgpack, which validates the declared size against available data and is not affected. Filing publicly to warn users; no fix is expected here.
Suggested fix (for reference / forks)
Do not pre-allocate from the declared count; bound the initial capacity to the remaining input (an element is at least 1 byte, so the count cannot exceed the remaining bytes) or build the array incrementally.
Found via boundary-value testing as part of my academic research.