CVE-2026-48511

HIGH

MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps

Title source: cna
STIX 2.1

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0023
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-407
Status published
Products (6)
messagepack/messagepack < 2.5.301
MessagePack-CSharp/MessagePack-CSharp < 2.5.301
MessagePack-CSharp/MessagePack-CSharp >= 3.0, < 3.1.7
MessagePack-CSharp/MessagePack-CSharp >= 3.1.7, < 3.1.7
nuget/MessagePack 0 - 2.5.301NuGet
nuget/MessagePack 3.0 - 3.1.7NuGet
Published Jun 22, 2026
Tracked Since Jun 23, 2026