There is a vulnerability not fixed even in latest Intercom Android SDK 17.4.2:
org.msgpack:msgpack-core should be 0.9.11 or greater
| +--- io.intercom.android:intercom-sdk-base:17.4.2
| | +--- io.ably:ably-android:1.5.0
| | | +--- io.ably:network-client-okhttp:1.5.0
| | | | +--- io.ably:network-client-core:1.5.0
| | | | \--- com.squareup.okhttp3:okhttp:4.12.0 (*)
| | | +--- org.msgpack:msgpack-core:0.8.11
Could you please update io.ably:ably-android to latest 1.6.1 to see if it fixes the vulnerability?
Thanks!
More Info
org.msgpack:msgpack-core
(Maven)
< 0.9.11
0.9.11
Summary
Affected Components:
org.msgpack.core.MessageUnpacker.readPayload()
org.msgpack.core.MessageUnpacker.unpackValue()
org.msgpack.value.ExtensionValue.getData()
A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.