CVE Catalog

CVE-2026-48511

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile - higher than 14% of all known CVEs

Summary

MessagePack for C# has a vulnerability in the ExpandoObjectFormatter's Deserialize method that can lead to significant CPU and memory overhead when handling large attacker-controlled maps. This issue exists prior to versions 2.5.301 and 3.1.7.

Risk Assessment

Organizations may experience application performance degradation due to excessive CPU and memory load, potentially leading to service outages or delays.

Recommendation

It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability and enhance application security.

Original NVD description (English source)

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS