Hello!
I'm Goro, the primary maintainer of https://github.com/msgpack/msgpack-javascript (a.k.a. @msgpack/msgpack) right now.
Thanks for your vulnerability report. However, I'm not sure the code is really vulnerable. The following expression is part of your PoC:
(function () { require("child_process").exec("echo code_executed!", function (error, stdout, stderr) { console.log(stdout); }); })();
The anonymous function expression is called immediately, right? So the value of the expression is undefined, since the function does not have a return statement. So the object passed to msgpack.encode() is { exploit: undefined }. child_process.exec() seems not related to the mspgack module.
What do you think?
Best Regards, Goro Fuji