CVE-2026-48509
Analyzed Analyzed - Analysis Complete

MessagePack for C# Denial-of-Service via Insecure Defaults

Vulnerability report for CVE-2026-48509, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, a serializer used in ASP.NET Core MVC applications. Before versions 2.5.301 and 3.1.7, the parameterless constructor of MessagePackInputFormatter used insecure default serializer options that trusted incoming data. This is problematic because the formatter processes HTTP request bodies, which come from untrusted sources. The insecure default setting can expose applications to denial-of-service attacks, such as hash-collision attacks targeting dictionary-like model properties.

Impact Analysis

The vulnerability can lead to denial-of-service (DoS) attacks against your application. Attackers can exploit the insecure default serializer options to perform hash-collision attacks on dictionary-like model properties, potentially causing your application to become unresponsive or crash when processing maliciously crafted input.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade MessagePack for C# to version 2.5.301 or later, or 3.1.7 or later.

This update changes the default serializer options used by the parameterless MessagePackInputFormatter() constructor to avoid using MessagePackSecurity.TrustedData, which is insecure for ASP.NET Core MVC request bodies crossing HTTP trust boundaries.

By upgrading, you ensure that the formatter uses safer options intended to mitigate denial-of-service attacks such as hash-collision attacks.

Compliance Impact

The vulnerability in MessagePack for C# involves the use of insecure default serializer options that can expose applications to denial-of-service attacks. Since these attacks can affect the availability and reliability of applications handling sensitive data, this may impact compliance with standards and regulations such as GDPR and HIPAA, which require ensuring data integrity and availability.

Specifically, the vulnerability allows hash-collision attacks against dictionary-like model properties crossing HTTP trust boundaries, potentially leading to service disruption. Such disruptions could violate regulatory requirements for maintaining secure and reliable processing of personal or protected health information.

However, the provided information does not explicitly detail the direct compliance implications or mention specific standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart