CVE-2026-48506

HIGH

MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth

Title source: cna
STIX 2.1

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0027
EPSS Percentile 19.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-674
Status published
Products (5)
messagepack/messagepack < 2.5.301
MessagePack-CSharp/MessagePack-CSharp < 2.5.301
MessagePack-CSharp/MessagePack-CSharp >= 3.1.7, < 3.1.7
nuget/MessagePack 0 - 2.5.301NuGet
nuget/MessagePack 3.0 - 3.1.7NuGet
Published Jun 22, 2026
Tracked Since Jun 23, 2026