EUVD-2026-38363Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires typeless deserialization mode and attacker-controlled payload (AC:H); no scope change; integrity-only impact per advisory.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MessagePack for C
is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.
AnalysisAI
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must be using MessagePack-CSharp's typeless deserialization mode - standard typed deserialization is not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) scores 6.3 and signals a network-reachable vulnerability with meaningful exploitation prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted MessagePack binary payload to a network endpoint that invokes typeless deserialization, embedding a blocklisted .NET type wrapped inside an array or generic container such as List<BlockedType>. The outer type check passes, the library materializes a formatter for the inner blocked type, and the type is instantiated - potentially triggering a .NET gadget chain that achieves an integrity violation or further exploitation depending on available types in the runtime environment. … |
| Remediation | Vendor-released patches are available: upgrade to MessagePack-CSharp 2.5.301 (for 2.x users) or 3.1.7 (for 3.x users). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat
Share
External POC / Exploit Code
Leaving vuln.today