CVE Catalog

CVE-2026-48517

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

The MessagePack library for C# has a vulnerability related to type deserialization that does not recursively check array element types or generic type arguments. This can lead to a situation where a dangerous type that should be blocked can be deserialized if wrapped in an array or generic type.

Risk Assessment

Organizations may be exposed to attacks that exploit this vulnerability to deserialize dangerous types, potentially leading to the execution of malicious code or other unauthorized actions.

Recommendation

It is recommended to upgrade to version 2.5.301 or 3.1.7 to eliminate this vulnerability and ensure the security of applications using MessagePack for C#.

Original NVD description (English source)

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS