Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MessagePack‑CSharp library uses a constructor that defaults the MessagePackInputFormatter to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. This insecure default allows an attacker to send specially crafted MessagePack payloads that trigger hash‑collision attacks against dictionary‑like model properties, consuming CPU resources and potentially leading to denial of service.

Affected Systems

Applications built with MessagePack‑CSharp versions prior to 2.5.301 and 3.1.7 that employ the default MessagePackInputFormatter in an ASP.NET Core MVC context are affected. The vulnerability is specific to the vendor and product MessagePack‑CSharp:MessagePack‑CSharp.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through HTTP request bodies that are processed by the vulnerable formatter. An attacker can exploit this by sending a malicious MessagePack payload to cause repeated hash collisions in the deserialization process, leading to high CPU consumption and a denial of service.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MessagePack‑CSharp to version 2.5.301 or newer, or 3.1.7 or newer, where the default security setting is UntrustedData.
  • If an upgrade cannot be performed immediately, explicitly configure MessagePackInputFormatter to use MessagePackSerializerOptions.Standard with MessagePackSecurity.UntrustedData before adding it to the MVC pipeline.
  • Implement request body size limits and validate payload size to mitigate resource exhaustion risks when receiving MessagePack data.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies
Weaknesses CWE-1188
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:16:50.034Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48509

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default