Impact
MessagePack-CSharp for C# contains a vulnerability where the multi‑dimensional array formatters read dimension lengths directly from the incoming payload and allocate a large array before verifying that the product of those dimensions matches the encoded element count. The formatter checks the element array header, but the actual memory allocation occurs prior to that validation. An attacker can craft a small payload that specifies huge dimensions, forcing the deserializer to allocate a big T[,,] or T[,,,] array, consuming large amounts of heap space before any element data is processed. This results in excessive memory usage which can degrade performance or exhaust system memory, leading to a denial of service. The weakness is classified as CWE‑770, a resource exhaustion flaw. No direct code execution is possible; the impact is limited to availability.
Affected Systems
The vulnerability affects the MessagePack-CSharp library provided by MessagePack-CSharp. Versions prior to 2.5.301 and 3.1.7 are susceptible. Any application that deserializes untrusted MessagePack data using these versions may be at risk.
Risk and Exploitability
The CVSS base score of 6.3 indicates a moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the attack vector is inferred to be remote (or local) whenever the library is used to process untrusted input; an attacker can send a malicious payload to trigger the memory allocation. The vulnerability is not listed in CISA’s KEV catalog. The exploit is straightforward once the attacker can provide the offending payload, and the consequence is a denial of service caused by memory exhaustion.
OpenCVE Enrichment
Github GHSA