CVE-2026-48511
Received Received - Intake
Denial of Service in MessagePack for C#

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48511
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
neuecc messagepack_for_csharp 2.5.301
neuecc messagepack_for_csharp 3.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, specifically in versions prior to 2.5.301 and 3.1.7. The ExpandoObjectFormatter.Deserialize method populates a System.Dynamic.ExpandoObject by adding each map entry using IDictionary<string, object>.Add. Internally, ExpandoObject maintains member names in array-like structures, so inserting many distinct keys causes repeated linear scans and array copies. When processing large attacker-controlled maps, this results in quadratic CPU and memory allocation behavior, leading to performance degradation.

The issue is notable because even though ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, which uses collision-resistant dictionary comparers, these cannot protect against the internal insertion inefficiencies of ExpandoObject.

This vulnerability was fixed in versions 2.5.301 and 3.1.7 of MessagePack for C#.

Impact Analysis

This vulnerability can lead to significant performance degradation when deserializing large attacker-controlled maps using MessagePack for C#. The quadratic CPU and memory allocation behavior can cause excessive resource consumption, potentially leading to denial of service (DoS) conditions where the application becomes slow or unresponsive.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or later, or 3.1.7 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart