CVE-2026-48512
Analyzed Analyzed - Analysis Complete

Stack Overflow in MessagePack for C# JSON Conversion

Vulnerability report for CVE-2026-48512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, specifically in its JSON conversion helpers prior to versions 2.5.301 and 3.1.7. The issue arises because multiple recursion paths in the JSON conversion component do not consistently enforce a depth limit. This means that when processing nested JSON arrays and objects, the software can recursively consume stack frames without proper checks, especially when handling malformed JSON with long runs of separator characters.

As a result, attacker-controlled input can cause the process stack to be exhausted, leading to an uncatchable StackOverflowException instead of a normal, catchable parse or serialization exception. This vulnerability is fixed in versions 2.5.301 and 3.1.7.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service condition. By sending specially crafted JSON input that exploits the unchecked recursion depth, the attacker can trigger a StackOverflowException that crashes the process running the MessagePack for C# serializer.

Because the exception is uncatchable, it can lead to application instability or downtime, potentially disrupting services that rely on this serialization library.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or 3.1.7 or later, where the issue has been fixed.

Detection Guidance

This vulnerability affects the JSON conversion APIs of the MessagePack-CSharp library when processing untrusted data, leading to uncontrolled recursion and potential stack overflow. Detection involves monitoring for unusual stack overflow exceptions or crashes in applications using MessagePack-CSharp's JSON conversion functions.

Since the vulnerability is triggered by deeply nested JSON arrays/objects or malformed JSON with long separator runs, you can detect attempts by inspecting logs or network traffic for unusually deep or malformed JSON payloads sent to services using MessagePack-CSharp.

There are no specific built-in commands provided in the resources for direct detection, but general approaches include:

  • Monitor application logs for StackOverflowException or crashes related to JSON processing.
  • Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture JSON payloads and analyze their nesting depth or malformed separator runs.
  • Implement custom scripts or tools to parse JSON payloads and measure their nesting depth before processing.

Example commands to capture and inspect network traffic carrying JSON payloads might include:

  • tcpdump -i <interface> -A -s 0 'tcp port <application_port>' | grep -i '{' # Capture and filter JSON-like traffic
  • jq '.' < captured_payload.json # To pretty-print and inspect JSON structure and depth

However, detection is primarily based on application-level monitoring and input validation rather than simple commands.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart