CVE-2026-48512
Received Received - Intake
Stack Overflow in MessagePack for C# JSON Conversion

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48512
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
neuecc messagepack-csharp 2.5.301
neuecc messagepack-csharp 3.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, specifically in its JSON conversion helpers prior to versions 2.5.301 and 3.1.7. The issue arises because multiple recursion paths in the JSON conversion component do not consistently enforce a depth limit. This means that when processing nested JSON arrays and objects, the software can recursively consume stack frames without proper checks, especially when handling malformed JSON with long runs of separator characters.

As a result, attacker-controlled input can cause the process stack to be exhausted, leading to an uncatchable StackOverflowException instead of a normal, catchable parse or serialization exception. This vulnerability is fixed in versions 2.5.301 and 3.1.7.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service condition. By sending specially crafted JSON input that exploits the unchecked recursion depth, the attacker can trigger a StackOverflowException that crashes the process running the MessagePack for C# serializer.

Because the exception is uncatchable, it can lead to application instability or downtime, potentially disrupting services that rely on this serialization library.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or 3.1.7 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart