EUVD-2026-38384Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
High complexity because specific JSON conversion APIs must be exposed to untrusted input; uncatchable process crash warrants A:H, not Low.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MessagePack for C
is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.
AnalysisAI
Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host processes via an uncatchable StackOverflowException, producing a denial-of-service condition in applications that route untrusted input through these APIs. Three independent recursive code paths - ConvertFromJson's FromJsonCore(), TinyJsonReader.ReadNextToken() (which recurses once per comma or colon character, enabling exploitation via malformed JSON), and the ConvertToJson ext-100 typeless extension branch - all bypass the library's existing MessagePackSecurity depth-limit enforcement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to actively use one of three specific JSON conversion APIs: MessagePackSerializer.ConvertFromJson (which calls FromJsonCore()), MessagePackSerializer.ConvertToJson when processing MessagePack ext-100 (typeless) payloads, or TinyJsonReader.ReadNextToken() directly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L) scores 6.3 (Medium), reflecting a network-reachable path with high complexity and additional prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP request containing either a deeply nested JSON array/object payload or a syntactically malformed JSON string with thousands of consecutive comma or colon characters to a .NET service that uses MessagePack-CSharp's ConvertFromJson API. The service passes the raw input to FromJsonCore() or TinyJsonReader.ReadNextToken(), which recurses without a depth bound, exhausting the thread stack and triggering an uncatchable StackOverflowException that terminates the host process, taking down the service for all users. … |
| Remediation | Upgrade to MessagePack-CSharp 2.5.301 (v2 branch) or 3.1.7 (v3 branch), as confirmed by the vendor advisory at https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-cj9g-3mj2-g8vv. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat
Share
External POC / Exploit Code
Leaving vuln.today