Insecure Default Serializer Options in MessagePack for C# by MsgPack
CVE-2026-48509

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48509?

The MessagePack for C# library includes a vulnerability where the parameterless MessagePackInputFormatter() constructor utilizes insecure default serializer options. Specifically, it defaults to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData, which is inappropriate for ASP.NET Core MVC request bodies that may traverse an HTTP trust boundary. This flaw can leave applications susceptible to various denial-of-service attacks, including hash-collision attacks against dictionary-like model properties. The issue was addressed in versions 2.5.301 and 3.1.7, which introduced secure defaults to mitigate these risks.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48509 Data

JSON