CVE-2026-48506

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:messagepack:messagepack::::::c\#::*
	cpe:2.3:a:messagepack:messagepack::::::c\#::*

History

23 Jun 2026, 17:24

Type	Values Removed	Values Added
References	~~() https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf -~~	() https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:messagepack:messagepack::::::c\#::*
First Time		Messagepack messagepack Messagepack

22 Jun 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-22 22:16

Updated : 2026-06-23 17:24

NVD link : CVE-2026-48506

Mitre link : CVE-2026-48506

CVE.ORG link : CVE-2026-48506

JSON object : View

Products Affected

messagepack

messagepack

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2026-48506", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-48506", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T12:13:49.801472Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "MessagePack-CSharp", "product": "MessagePack-CSharp", "versions": [{"status": "affected", "version": ">= 3.1.7, < 3.1.7"}, {"status": "affected", "version": "< 2.5.301"}]}]}], "published": "2026-06-22T22:16:47.437", "references": [{"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7."}], "lastModified": "2026-06-23T17:24:50.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "vulnerable": true, "matchCriteriaId": "1B965ABC-EE02-45D7-895A-E05EE88CF67B", "versionEndExcluding": "2.5.301"}, {"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "vulnerable": true, "matchCriteriaId": "FD170D86-D657-4F8D-99BF-9624CDC0287A", "versionEndExcluding": "3.1.7", "versionStartIncluding": "3.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}