CVE-2026-48511 MessagePack-CSharp CVE debrief

Who should care

Developers and administrators using MessagePack for C# versions prior to 2.5.301 or 3.1.7 should be aware of this vulnerability and take steps to mitigate it. This includes updating to the latest versions and monitoring systems for potential attacks. Additionally, users who handle large amounts of data with MessagePack should be cautious of potential denial of service attacks.

Technical summary

The vulnerability is caused by the inefficient implementation of the ExpandoObjectFormatter.Deserialize method in MessagePack for C#. When handling large, attacker-controlled maps, the method exhibits quadratic CPU and allocation behavior, leading to a denial of service. The issue is not mitigated by collision-resistant dictionary comparers. The vulnerability is fixed in versions 2.5.301 and 3.1.7. Users should update to these versions to prevent potential attacks.

Defensive priority

High priority should be given to updating MessagePack for C# to versions 2.5.301 or 3.1.7. Additionally, users should monitor their systems for potential attacks and implement compensating controls to prevent denial of service.

Recommended defensive actions

• Update MessagePack for C# to version 2.5.301 or 3.1.7
• Monitor systems for potential attacks
• Implement compensating controls to prevent denial of service
• Review and update incident response plans
• Perform vulnerability scanning and penetration testing

Evidence notes

The vulnerability is documented in the CVE record and the NVD detail page. The issue is caused by the inefficient implementation of the ExpandoObjectFormatter.Deserialize method in MessagePack for C#. The vulnerability is fixed in versions 2.5.301 and 3.1.7.

Official resources