MessagePack for C# Vulnerability in Typeless Deserialization by MessagePack-CSharp
CVE-2026-48517

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48517?

The MessagePack for C# library, specifically in versions prior to 2.5.301 and 3.1.7, exhibits a significant deserialization vulnerability due to insufficient type validation. While the serializer implements a safety check to disallow dangerous types during typeless deserialization, it fails to recursively examine array element types or the arguments of generic types. Consequently, a blocked type can be circumvented by being embedded within an array or generic construct, potentially leading to exploitation. It's crucial for developers using these versions to upgrade to at least 2.5.301 or 3.1.7 to mitigate this security risk.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48517 Data

JSON