Skip to main content

MessagePack-CSharp CVE-2026-48511

| EUVD-2026-38385 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-06-22 GitHub_M
Information Disclosure Messagepack Csharp
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

AC:H reflects the requirement that target explicitly uses ExpandoObjectFormatter; PR:N since no auth is needed once the endpoint is reachable; A:L for limited, non-total availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:27 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticated attackers to degrade or deny service by submitting attacker-controlled MessagePack maps containing many distinct keys. Affected are all releases prior to 2.5.301 (2.x branch) and 3.1.7 (3.x branch). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network endpoint accepting MessagePack input
Delivery
Craft map payload with thousands of unique string keys
Exploit
Submit payload to ExpandoObjectFormatter deserializer
Execution
Each key insertion triggers linear array scan in ExpandoObject internals
Persist
Quadratic CPU and memory cost exhausts service resources
Impact
Availability degraded for legitimate users
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must explicitly use ExpandoObjectFormatter or ExpandoObjectResolver from MessagePack-CSharp to deserialize input - this requires a deliberate opt-in by the developer and is not the default MessagePack-CSharp configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N) scores 6.3, which reasonably reflects the constrained impact profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted MessagePack binary message containing a map with tens of thousands of unique string keys to a .NET service endpoint that uses ExpandoObjectFormatter to deserialize user-supplied content. Each key insertion into ExpandoObject triggers a linear scan of the existing key array, causing total processing time and heap allocation to grow quadratically with key count. …
Remediation Upgrade to MessagePack-CSharp 2.5.301 (for 2.x users) or 3.1.7 (for 3.x users), as confirmed by the vendor advisory at https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48502 HIGH
8.2 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
CVE-2026-48506 HIGH
7.5 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
CVE-2026-48509 MEDIUM
6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
CVE-2026-48510 MEDIUM
6.3 Jun 22

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
CVE-2026-48512 MEDIUM
6.3 Jun 22

Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host proces

Share

CVE-2026-48511 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy