CVE-2026-48509

CRITICAL

MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies

Title source: cna
STIX 2.1

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.

References (1)

Core 1

Scores

CVSS v3 9.1
EPSS 0.0024
EPSS Percentile 14.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-1188
Status published
Products (6)
messagepack/messagepack < 2.5.301
MessagePack-CSharp/MessagePack-CSharp < 2.5.301
MessagePack-CSharp/MessagePack-CSharp >= 3.0, < 3.1.7
MessagePack-CSharp/MessagePack-CSharp >= 3.1.7, < 3.1.7
nuget/MessagePack 0 - 2.5.301NuGet
nuget/MessagePack 3.0 - 3.1.7NuGet
Published Jun 22, 2026
Tracked Since Jun 23, 2026