Messagepack Csharp
Monthly
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. No public exploit identified at time of analysis, but the bug is straightforward to trigger and fixes are already published upstream.
Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash-collision denial-of-service attacks. The parameterless `MessagePackInputFormatter()` constructor silently applies `MessagePackSecurity.TrustedData` to HTTP request bodies - data that by definition crosses an untrusted boundary - bypassing the hash-seed randomization that `MessagePackSecurity.UntrustedData` provides. Vendor-released patches are available in versions 2.5.301 and 3.1.7; no public exploit code or CISA KEV listing identified at time of analysis.
LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attackers to force excessive heap memory allocations via crafted Lz4Block or Lz4BlockArray payloads that declare arbitrarily large uncompressed lengths. The library allocates an output buffer sized to the attacker-controlled wire-format length field before performing any validation of the compressed data or the reasonableness of the declared expansion, enabling a classic decompression-bomb denial-of-service. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the attack pattern is mechanically straightforward for any application that accepts untrusted MessagePack data with LZ4 compression enabled.
Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticated attackers to degrade or deny service by submitting attacker-controlled MessagePack maps containing many distinct keys. Affected are all releases prior to 2.5.301 (2.x branch) and 3.1.7 (3.x branch). No public exploit code has been identified at time of analysis, and no CISA KEV listing was referenced in available intelligence.
Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host processes via an uncatchable StackOverflowException, producing a denial-of-service condition in applications that route untrusted input through these APIs. Three independent recursive code paths - ConvertFromJson's FromJsonCore(), TinyJsonReader.ReadNextToken() (which recurses once per comma or colon character, enabling exploitation via malformed JSON), and the ConvertToJson ext-100 typeless extension branch - all bypass the library's existing MessagePackSecurity depth-limit enforcement. No public exploit has been identified at time of analysis, and only applications explicitly using the JSON conversion helpers (not normal typed MessagePack deserialization) are exposed.
Uncontrolled recursion in MessagePack for C# allows network-reachable attackers to crash applications by submitting deeply nested union-type payloads that bypass the library's object graph depth protection. DynamicUnionResolver's runtime-generated deserializers omit the required MessagePackSecurity.DepthStep calls, leaving union code paths entirely outside the recursion guard that protects all other formatter paths. No public exploit or active KEV listing exists at time of analysis, but any application deserializing untrusted MessagePack data via union types over a network endpoint is exposed to availability-only impact.
Unchecked large-array allocation in MessagePack for C# exposes any .NET application deserializing untrusted MessagePack extension payloads to a denial-of-service condition. The UnsafeBlitFormatterBase<T>.Deserialize method trusts an attacker-supplied byteLength field from the inner extension payload and allocates a T[] array of that size before comparing it against the outer extension header length or remaining input bytes, meaning a few-byte payload can trigger gigabyte-scale allocations. No active exploitation has been confirmed (no CISA KEV listing, no public exploit identified at time of analysis), but the attack requires no authentication and no user interaction, lowering the bar for any attacker with network access to an exposed endpoint.
Heap exhaustion via crafted multi-dimensional array payloads in MessagePack-CSharp affects all v2.x releases before 2.5.301 and all v3.x releases before 3.1.7, enabling remote unauthenticated attackers to trigger disproportionately large heap allocations with minimal payload bytes. The multi-dimensional array formatters (T[,], T[,,], T[,,,]) allocate based on attacker-supplied dimension values before cross-validating against the encoded element count, so a payload declaring a 10000×10000 array with only a handful of elements forces a massive allocation before any guard fires. No public exploit or active exploitation has been confirmed; the CVSS 4.0 score of 6.3 reflects high attack complexity and a specific prerequisite condition (AT:P), constraining realistic risk to services that deserialize untrusted MessagePack containing multi-dimensional array types.
CPU denial of service in MessagePack for C# affects applications deserializing ILookup<TKey,TElement> types from untrusted input, exploitable even when the application has explicitly configured MessagePack's untrusted-data security posture. The InterfaceLookupFormatter constructs its internal dictionary with the default equality comparer rather than the security-aware, randomization-backed comparer provided by options.Security.GetEqualityComparer<TKey>(), silently bypassing the protection the developer believed was active. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AC:H/AT:P rating reflects that exploitation requires crafting keys with deliberate hash collisions.
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects high attack complexity and the prerequisite that typeless deserialization must be enabled and attacker-controlled input must reach the deserializer.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. No public exploit identified at time of analysis, but the bug is straightforward to trigger and fixes are already published upstream.
Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash-collision denial-of-service attacks. The parameterless `MessagePackInputFormatter()` constructor silently applies `MessagePackSecurity.TrustedData` to HTTP request bodies - data that by definition crosses an untrusted boundary - bypassing the hash-seed randomization that `MessagePackSecurity.UntrustedData` provides. Vendor-released patches are available in versions 2.5.301 and 3.1.7; no public exploit code or CISA KEV listing identified at time of analysis.
LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attackers to force excessive heap memory allocations via crafted Lz4Block or Lz4BlockArray payloads that declare arbitrarily large uncompressed lengths. The library allocates an output buffer sized to the attacker-controlled wire-format length field before performing any validation of the compressed data or the reasonableness of the declared expansion, enabling a classic decompression-bomb denial-of-service. No public exploit has been identified at time of analysis and no CISA KEV listing exists; however, the attack pattern is mechanically straightforward for any application that accepts untrusted MessagePack data with LZ4 compression enabled.
Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticated attackers to degrade or deny service by submitting attacker-controlled MessagePack maps containing many distinct keys. Affected are all releases prior to 2.5.301 (2.x branch) and 3.1.7 (3.x branch). No public exploit code has been identified at time of analysis, and no CISA KEV listing was referenced in available intelligence.
Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host processes via an uncatchable StackOverflowException, producing a denial-of-service condition in applications that route untrusted input through these APIs. Three independent recursive code paths - ConvertFromJson's FromJsonCore(), TinyJsonReader.ReadNextToken() (which recurses once per comma or colon character, enabling exploitation via malformed JSON), and the ConvertToJson ext-100 typeless extension branch - all bypass the library's existing MessagePackSecurity depth-limit enforcement. No public exploit has been identified at time of analysis, and only applications explicitly using the JSON conversion helpers (not normal typed MessagePack deserialization) are exposed.
Uncontrolled recursion in MessagePack for C# allows network-reachable attackers to crash applications by submitting deeply nested union-type payloads that bypass the library's object graph depth protection. DynamicUnionResolver's runtime-generated deserializers omit the required MessagePackSecurity.DepthStep calls, leaving union code paths entirely outside the recursion guard that protects all other formatter paths. No public exploit or active KEV listing exists at time of analysis, but any application deserializing untrusted MessagePack data via union types over a network endpoint is exposed to availability-only impact.
Unchecked large-array allocation in MessagePack for C# exposes any .NET application deserializing untrusted MessagePack extension payloads to a denial-of-service condition. The UnsafeBlitFormatterBase<T>.Deserialize method trusts an attacker-supplied byteLength field from the inner extension payload and allocates a T[] array of that size before comparing it against the outer extension header length or remaining input bytes, meaning a few-byte payload can trigger gigabyte-scale allocations. No active exploitation has been confirmed (no CISA KEV listing, no public exploit identified at time of analysis), but the attack requires no authentication and no user interaction, lowering the bar for any attacker with network access to an exposed endpoint.
Heap exhaustion via crafted multi-dimensional array payloads in MessagePack-CSharp affects all v2.x releases before 2.5.301 and all v3.x releases before 3.1.7, enabling remote unauthenticated attackers to trigger disproportionately large heap allocations with minimal payload bytes. The multi-dimensional array formatters (T[,], T[,,], T[,,,]) allocate based on attacker-supplied dimension values before cross-validating against the encoded element count, so a payload declaring a 10000×10000 array with only a handful of elements forces a massive allocation before any guard fires. No public exploit or active exploitation has been confirmed; the CVSS 4.0 score of 6.3 reflects high attack complexity and a specific prerequisite condition (AT:P), constraining realistic risk to services that deserialize untrusted MessagePack containing multi-dimensional array types.
CPU denial of service in MessagePack for C# affects applications deserializing ILookup<TKey,TElement> types from untrusted input, exploitable even when the application has explicitly configured MessagePack's untrusted-data security posture. The InterfaceLookupFormatter constructs its internal dictionary with the default equality comparer rather than the security-aware, randomization-backed comparer provided by options.Security.GetEqualityComparer<TKey>(), silently bypassing the protection the developer believed was active. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AC:H/AT:P rating reflects that exploitation requires crafting keys with deliberate hash collisions.
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects high attack complexity and the prerequisite that typeless deserialization must be enabled and attacker-controlled input must reach the deserializer.