Threat Advisory

MessagePack Vulnerabilities Enable CPU Exhaustion Through Malformed Payloads

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in MessagePack-CSharp (nuget package MessagePack) versions prior to 2.5.301 and versions 3.0 up to 3.1.6. The issues enable denial-of-service attacks through unchecked recursion and uncontrolled stack allocation when deserializing untrusted MessagePack data. One flaw allows the Skip routine to recurse without depth limits, causing an uncatchable StackOverflowException; another permits a crafted timestamp extension to trigger a massive stackalloc, also leading to process termination. Both vulnerabilities can be triggered by malicious payloads and may result in service outages, loss of availability, and potential impact on all tenants sharing the same process.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in MessagePack-CSharp (nuget package MessagePack) versions prior to 2.5.301 and versions 3.0 up to 3.1.6. The issues enable denial-of-service attacks through unchecked recursion and uncontrolled stack allocation when deserializing untrusted MessagePack data. One flaw allows the Skip routine to recurse without depth limits, causing an uncatchable StackOverflowException; another permits a crafted timestamp extension to trigger a massive stackalloc, also leading to process termination. Both vulnerabilities can be triggered by malicious payloads and may result in service outages, loss of availability, and potential impact on all tenants sharing the same process.[emaillocker id="1283"]

  • CVE-2026-48506 with a CVSS score of 7.5 – The vulnerability resides in MessagePackReader.Skip/TrySkip which recurses without depth checks, allowing an attacker to craft deeply nested arrays or maps that cause an unbounded recursion and an uncatchable StackOverflowException, terminating the host process. Exploitation requires only sending a malicious MessagePack payload; no special privileges are needed.
  • CVE-2026-48502 with a CVSS score of 7.5 – MessagePackReader.ReadDateTime allocates a stack buffer based on an attacker-controlled timestamp extension length before validation, enabling a crafted payload to cause a large stackalloc and a StackOverflowException. An adversary can trigger this by sending a malformed timestamp extension in any untrusted MessagePack message; no authentication is required.

These vulnerabilities present a high-severity denial-of-service risk that can be exploited remotely by sending specially crafted MessagePack payloads. If exploited, the affected applications may crash abruptly, causing service interruption for all users sharing the process and potentially breaching service-level agreements. Immediate attention is required to assess exposure and plan remediation.

RECOMMENDATION:

  • We recommend you to update MessagePack to version 2.5.301. We recommend you to update MessagePack to version 3.1.7.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-vh6j-jc39-fggf
https://github.com/advisories/GHSA-382j-8mxh-c7x2

[/emaillocker]
crossmenu