cvedb.io
CVE-2026-48513
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-06-22T22:16:48.100 · Last modified 2026-06-25T16:16:36.197

Summary

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.

Affected products

messagepack — messagepack

Does this affect you?

Add your gear to cvedb and we'll alert you only when messagepack ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.