CVE-2026-48517 - Vulnerability Details

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.

Published: 2026-06-22

Score: 6.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

MessagePack‑CSharp allows typeless deserialization to bypass type restrictions when dangerous types are nested inside arrays or generic arguments. The library checks only the outermost type name; it does not recurse into element types, so a blocked type can be wrapped and passed the safety check. Once the formatter machinery materializes formatters for the inner type, an attacker can produce arbitrary objects that may execute code or perform unsafe operations during construction or property assignment, which aligns with CWE‑470 and CWE‑502.

Affected Systems

The vulnerable product is MessagePack‑CSharp. Versions older than 2.5.301 and older than 3.1.7 are affected. Any .NET Framework or .NET Core application that references these earlier releases is at risk until the library is updated.

Risk and Exploitability

The CVSS score of 6.3 reflects moderate severity. No EPSS score is available, so the current exploitation probability cannot be quantified, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers would need to provide malicious serialized data to an untrusted typeless deserialization call, which could be delivered through network traffic or user‑supplied configuration files. When the nested, prohibited type bypasses the outer check, object instantiation can occur, potentially leading to code execution or denial‑of‑service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MessagePack-CSharp

affected

Version	Status	Constraints
`>= 3.1.7, < 3.1.7`	affected	—
`< 2.5.301`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MessagePack‑CSharp to version 2.5.301 or later, or 3.1.7 or later, which includes the fix for recursive type checking.
Audit all uses of typeless deserialization in the codebase and restrict it to trusted data only; where possible, replace with type‑specific deserialization.
If an upgrade cannot be performed immediately, apply a temporary safeguard by implementing a custom IFormatterResolver that validates inner types or blocks deserialization of known dangerous types before allowing typeless deserialization.

Generated by OpenCVE AI on June 22, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-qhmf-xw27-6rqr

History

Mon, 22 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title		MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments
Weaknesses		CWE-470 CWE-502
References		https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-qhmf-xw27-6rqr
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T21:03:30.437Z

Updated: 2026-06-22T21:03:30.437Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48517

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-23T00:00:16Z

Weaknesses

CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-502
Deserialization of Untrusted Data

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object