CVE-2026-48509
Received Received - Intake
MessagePack for C# Denial-of-Service via Insecure Defaults

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48509
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
neuecc messagepack_for_csharp 2.5.301
neuecc messagepack_for_csharp 3.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, a serializer used in ASP.NET Core MVC applications. Before versions 2.5.301 and 3.1.7, the parameterless constructor of MessagePackInputFormatter used insecure default serializer options that trusted incoming data. This is problematic because the formatter processes HTTP request bodies, which come from untrusted sources. The insecure default setting can expose applications to denial-of-service attacks, such as hash-collision attacks targeting dictionary-like model properties.

Impact Analysis

The vulnerability can lead to denial-of-service (DoS) attacks against your application. Attackers can exploit the insecure default serializer options to perform hash-collision attacks on dictionary-like model properties, potentially causing your application to become unresponsive or crash when processing maliciously crafted input.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade MessagePack for C# to version 2.5.301 or later, or 3.1.7 or later.

This update changes the default serializer options used by the parameterless MessagePackInputFormatter() constructor to avoid using MessagePackSecurity.TrustedData, which is insecure for ASP.NET Core MVC request bodies crossing HTTP trust boundaries.

By upgrading, you ensure that the formatter uses safer options intended to mitigate denial-of-service attacks such as hash-collision attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart