Impact
MessagePack-CSharp uses InterfaceLookupFormatter to serialize and deserialize ILookup<TKey,TElement>. In versions prior to 2.5.301 and 3.1.7 it builds an internal dictionary with the default equality comparer rather than the security‑aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This omission allows an attacker to craft hash collisions that cause the serializer to spend excessive CPU time, resulting in a denial‑of‑service for the process. The vulnerability is a use of untrusted input data to trigger CPU overload, classified under CWE‑407.
Affected Systems
All installations of MessagePack-CSharp that use the library before version 2.5.301 or 3.1.7 are affected. This includes applications that reference the MessagePack-CSharp NuGet package and invoke InterfaceLookupFormatter on potentially untrusted data streams. No other products or vendors are listed as impacted.
Risk and Exploitability
The CVSS score of 6.3 indicates moderate severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog, so the exploitation probability is unclear but a CPU DoS is plausible when an application consumes data from untrusted sources. Attackers would need to send data that triggers the flawed formatter, likely via a network service or API that accepts serialized input. Because the untrusted‑data security posture does not mitigate this flaw, the risk remains until the library is updated.
OpenCVE Enrichment
Github GHSA