CVE Catalog

CVE-2026-48512

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile - higher than 14% of all known CVEs

Summary

MessagePack for C# prior to versions 2.5.301 and 3.1.7 contains multiple recursion paths in the JSON conversion components that do not enforce a depth limit. These paths can lead to process stack exhaustion and trigger an uncatchable StackOverflowException.

Risk Assessment

An attacker could exploit this vulnerability to initiate an attack that causes application crashes, potentially resulting in downtime and loss of service availability.

Recommendation

It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability and to implement monitoring and input depth processing limits.

Original NVD description (English source)

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS