Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MessagePack-CSharp contains recursive JSON conversion helpers that fail to enforce a consistent depth limit across all code paths. The ConvertFromJson routine recursively processes nested JSON arrays and objects without consulting the library’s global maximum object graph depth setting, while TinyJsonReader.ReadNextToken recursively consumes separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. Similar problems exist in ConvertToJson for typeless extension branches. An attacker who supplies specially crafted JSON can therefore exhaust the .NET process stack, resulting in an uncatchable StackOverflowException and effectively a denial‑of‑service condition.

Affected Systems

This issue affects the MessagePack-CSharp library published by MessagePack‑CSharp. Versions earlier than 2.5.301 and 3.1.7 are vulnerable. Clients using these libraries for JSON serialization or deserialization that accept untrusted input should treat the environment as potentially exposed until a patch is applied.

Risk and Exploitability

The CVSS score of 6.3 indicates medium severity, but the lack of an EPSS score makes exploitation likelihood unclear. Because the vulnerability is tied to rich JSON processing, any service that performs JSON conversion via MessagePack-CSharp and receives user‑controlled data is a valid target. No known exploit is tracked in KEV, and the StackOverflow exception cannot be caught by application code, so the effect is a permanent crash of the hosting process. Local or remote code execution is not achieved, but the vulnerability can be abused to consume resources and disrupt availability.

Generated by OpenCVE AI on June 22, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MessagePack-CSharp to version 2.5.301 or newer, or 3.1.7 or newer, to obtain the fixed implementation.
  • If upgrade is delayed, validate or limit the depth of JSON input before passing it to the library, such as parsing the JSON into a DOM with depth checks or restricting nested array and object levels.
  • Consider disabling JSON conversion features in environments that do not require them, or employ an application‑level watchdog to restart the process if a StackOverflowException occurs.

Generated by OpenCVE AI on June 22, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: JSON conversion APIs can recurse without consistent depth enforcement
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:14:20.241Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48512

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses