Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MessagePack-CSharp uses InterfaceLookupFormatter to serialize and deserialize ILookup<TKey,TElement>. In versions prior to 2.5.301 and 3.1.7 it builds an internal dictionary with the default equality comparer rather than the security‑aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This omission allows an attacker to craft hash collisions that cause the serializer to spend excessive CPU time, resulting in a denial‑of‑service for the process. The vulnerability is a use of untrusted input data to trigger CPU overload, classified under CWE‑407.

Affected Systems

All installations of MessagePack-CSharp that use the library before version 2.5.301 or 3.1.7 are affected. This includes applications that reference the MessagePack-CSharp NuGet package and invoke InterfaceLookupFormatter on potentially untrusted data streams. No other products or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog, so the exploitation probability is unclear but a CPU DoS is plausible when an application consumes data from untrusted sources. Attackers would need to send data that triggers the flawed formatter, likely via a network service or API that accepts serialized input. Because the untrusted‑data security posture does not mitigate this flaw, the risk remains until the library is updated.

Generated by OpenCVE AI on June 23, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade your project to MessagePack‑CSharp 2.5.301 or later, or 3.1.7 or later, depending on the branch you use.
  • If an immediate upgrade is not possible, avoid using InterfaceLookupFormatter with untrusted data and consider implementing CPU usage limits or request throttling around serialization to reduce the impact of any potential hash‑collision attack.
  • Implement a time‑out or CPU quota for the formatter, terminating the process if it exceeds a threshold.

Generated by OpenCVE AI on June 23, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2h6-ghwm-5qm8 MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Messagepack
Messagepack messagepack-csharp
Vendors & Products Messagepack
Messagepack messagepack-csharp

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Messagepack Messagepack-csharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:54:33.529Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48516

cve-icon Vulnrichment

Updated: 2026-06-23T12:28:19.914Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:26Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity