MessagePack
NuGet12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting MessagePackpage 1 of 1
- CVE-2020-5234MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.1.902020-01-31
vulnerable: 2.0.107-alpha ... 2.1.80 (15 versions)
MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and re…
- CVE-2024-48924HIGHCVSS 8.7EG 8.7✓ Fixed in 3.0.214-rc.12024-10-17
vulnerable: 2.6.100-alpha ... 3.0.54-alpha (7 versions)
### Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consump…
- CVE-2026-48109HIGHCVSS 8.2EG 8.2✓ Fixed in 3.1.72026-06-11
vulnerable: 3.0.300 ... 3.1.6 (9 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation i…
- CVE-2026-48502HIGHCVSS 7.5EG 7.5✓ Fixed in 3.1.72026-06-22
vulnerable: 3.0.111-alpha ... 3.1.6 (15 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp exte…
- CVE-2026-48506HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. T…
- CVE-2026-48509CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with Messa…
- CVE-2026-48510HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers b…
- CVE-2026-48511HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject inter…
- CVE-2026-48512HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON co…
- CVE-2026-48514HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before v…
- CVE-2026-48515HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validati…
- CVE-2026-48516HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.3012026-06-22
vulnerable: 0.1.0-beta ... 2.5.94 (120 versions)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the …
Check whether MessagePack is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for MessagePack CVEs against the assets you own.
Start Free Scan →