CVE-2026-48513
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
In the MessagePack library for C# prior to versions 2.5.301 and 3.1.7, a vulnerability exists related to union deserialization that does not enforce object depth limits. Runtime-generated deserializers do not call necessary security steps, leading to potential security issues.
Risk Assessment
Organizations may be exposed to attacks that exploit this vulnerability to cause stack overflows or other depth-related issues, potentially leading to unauthorized data access.
Recommendation
It is recommended to update the MessagePack library to versions 2.5.301 or 3.1.7 to eliminate this vulnerability and ensure proper security during deserialization.
Original NVD description (English source)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.

