Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MessagePack‑CSharp library uses a constructor that defaults the MessagePackInputFormatter to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. This insecure default allows an attacker to send specially crafted MessagePack payloads that trigger hash‑collision attacks against dictionary‑like model properties, consuming CPU resources and potentially leading to denial of service.

Affected Systems

Applications built with MessagePack‑CSharp versions prior to 2.5.301 and 3.1.7 that employ the default MessagePackInputFormatter in an ASP.NET Core MVC context are affected. The vulnerability is specific to the vendor and product MessagePack‑CSharp:MessagePack‑CSharp.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through HTTP request bodies that are processed by the vulnerable formatter. An attacker can exploit this by sending a malicious MessagePack payload to cause repeated hash collisions in the deserialization process, leading to high CPU consumption and a denial of service.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MessagePack‑CSharp to version 2.5.301 or newer, or 3.1.7 or newer, where the default security setting is UntrustedData.
  • If an upgrade cannot be performed immediately, explicitly configure MessagePackInputFormatter to use MessagePackSerializerOptions.Standard with MessagePackSecurity.UntrustedData before adding it to the MVC pipeline.
  • Implement request body size limits and validate payload size to mitigate resource exhaustion risks when receiving MessagePack data.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2f33-pr97-265q MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Messagepack
Messagepack messagepack-csharp
Vendors & Products Messagepack
Messagepack messagepack-csharp

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies
Weaknesses CWE-1188
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Messagepack Messagepack-csharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:02:55.701Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48509

cve-icon Vulnrichment

Updated: 2026-06-23T12:51:05.977Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:16Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default