CVE-2026-48517
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
The MessagePack library for C# has a vulnerability related to type deserialization that does not recursively check array element types or generic type arguments. This can lead to a situation where a dangerous type that should be blocked can be deserialized if wrapped in an array or generic type.
Risk Assessment
Organizations may be exposed to attacks that exploit this vulnerability to deserialize dangerous types, potentially leading to the execution of malicious code or other unauthorized actions.
Recommendation
It is recommended to upgrade to version 2.5.301 or 3.1.7 to eliminate this vulnerability and ensure the security of applications using MessagePack for C#.
Original NVD description (English source)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.

