cvedb.io
CVE-2026-48509
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-06-22T22:16:47.573 · Last modified 2026-06-25T16:16:35.753

Summary

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary. This insecure default can expose applications to denial-of-service attacks that MessagePackSecurity.UntrustedData is intended to mitigate, such as hash-collision attacks against dictionary-like model properties. This vulnerability is fixed in 2.5.301 and 3.1.7.

Affected products

messagepack — messagepack

Does this affect you?

Add your gear to cvedb and we'll alert you only when messagepack ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.