Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in the MessagePack-CSharp library’s ExpandoObjectFormatter.Deserialize method, which constructs a System.Dynamic.ExpandoObject by adding map entries one by one. Each Add call triggers a linear scan of the internal array and may cause an array copy; when an attacker supplies a map with many distinct keys, the total work grows quadratically, consuming CPU cycles and memory. This can degrade application responsiveness or cause crashes, thereby compromising availability.

Affected Systems

Binaries from MessagePack-CSharp are affected. Versions earlier than 2.5.301 and 3.1.7 are vulnerable; upgrading to 2.5.301, 3.1.7, or later resolves the issue. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 6.3 signals moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA's KEV catalog, indicating that active exploitation may be limited or unknown. The attack can be carried out simply by supplying a malicious payload containing a large number of keys to any application that deserializes data with an unpatched version of the library. Privilege escalation is not required, and the exploit path is straightforward. The lack of a KEV listing suggests early detection or low exploitation activity, but the moderate CVSS and the potential for significant resource exhaustion warrant prompt attention.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MessagePack-CSharp to version 2.5.301, 3.1.7 or newer, which eliminates the quadratic insertion behavior.
  • If an immediate library upgrade is infeasible, validate or limit the size of maps prior to deserialization to prevent an attacker from sending an excessively large number of keys.
  • Avoid using ExpandoObjectResolver in untrusted contexts or replace it with a resolver that does not rely on ExpandoObject, thereby removing the source of the quadratic work.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:14:54.127Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48511

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity