CVE-2026-48511 | MessagePack for C# is a MessagePack serializer for C#. Prior… | CVSS 6.3 MEDIUM

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

Metadata

CVE ID: CVE-2026-48511
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-21 16:18 UTC
Published: 2026-06-22 21:14 UTC
Last updated: 2026-06-22 21:14 UTC
Primary CWE: CWE-407
CWE-407: Inefficient Algorithmic Complexity
Vendor / Product: MessagePack-CSharp / MessagePack-CSharp
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
MessagePack-CSharp	MessagePack-CSharp	—	>= 3.1.7, < 3.1.7, < 2.5.301

Weakness (CWE)

CWE	Source	Description
CWE-407	cna	CWE-407: Inefficient Algorithmic Complexity

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (1)

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59 https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59