CVE-2026-48511
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
MessagePack for C# has a vulnerability in the ExpandoObjectFormatter's Deserialize method that can lead to significant CPU and memory overhead when handling large attacker-controlled maps. This issue exists prior to versions 2.5.301 and 3.1.7.
Risk Assessment
Organizations may experience application performance degradation due to excessive CPU and memory load, potentially leading to service outages or delays.
Recommendation
It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability and enhance application security.
Original NVD description (English source)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

