Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DynamicUnionResolver emits deserializers that skip depth enforcement checks when processing union data. The deserialization of attacker‑controlled data can bypass the library’s maximum object graph depth enforcement, allowing deep or recursive structures that may cause excessive memory consumption or stack overflows. This weakness can lead to denial of service or resource exhaustion for applications that accept untrusted MessagePack payloads.

Affected Systems

Any project using MessagePack‑CSharp prior to version 2.5.301 or 3.1.7, such as the MessagePack‑CSharp library itself. The vulnerability is present in all impacted releases until the specified fixed versions are deployed.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it when they supply crafted MessagePack data to an application that uses DynamicUnionResolver without patching; the lack of depth checks is the primary exploitation vector and requires a remote attacker to influence the payload being deserialized.

Generated by OpenCVE AI on June 22, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MessagePack‑CSharp version 2.5.301 or later, or 3.1.7 or later.
  • If an immediate upgrade is not possible, disable DynamicUnionResolver for untrusted data or avoid deserializing unknown union keys until the patch is applied.
  • Consider implementing manual depth checks by calling MessagePackSecurity.DepthStep or a custom guard around deserialization of union types as an additional mitigative practice.

Generated by OpenCVE AI on June 22, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:12:43.104Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48513

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses