CVE Catalog

CVE-2026-48509

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

MessagePack for C# prior to versions 2.5.301 and 3.1.7 uses default serialization options that can lead to denial-of-service attacks. The default MessagePackInputFormatter() constructor is insecure as it may expose applications to hash-collision attacks against dictionary-like model properties.

Risk Assessment

Organizations may be exposed to denial-of-service attacks that can lead to application downtime and loss of service availability. Exploiting this vulnerability could have serious security implications for applications.

Recommendation

It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability. Additionally, consider reviewing and adjusting serialization options in applications using MessagePack.

Original NVD description (English source)

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS