GHSA-vh6j-jc39-fggf

Source

https://github.com/advisories/GHSA-vh6j-jc39-fggf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vh6j-jc39-fggf/GHSA-vh6j-jc39-fggf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vh6j-jc39-fggf

Aliases

CVE-2026-48506

Published

2026-06-25T18:46:24Z

Modified

2026-06-25T19:00:08.735721538Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth

Details

Summary

MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs.

Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException.

Impact

Applications that deserialize untrusted MessagePack payloads are affected when a formatter skips attacker-controlled values. This is a broad deserialization path and can be reached during normal object deserialization when an input includes an unknown member or extra value.

The attacker does not need to target a special resolver or compression mode. A payload containing many nested single-element arrays or maps in a skipped location can exhaust the process stack. Because StackOverflowException is not catchable in normal .NET execution, this terminates the host process and can deny service to other users of the same process.

MessagePackSecurity.UntrustedData does not mitigate this issue because the skip path does not participate in depth accounting.

Affected components

Package: MessagePack
APIs: MessagePackReader.Skip, MessagePackReader.TrySkip, and formatter paths that skip unknown or ignored values
Finding IDs: MESSAGEPACKCSHARP-021, duplicate/open variant MESSAGEPACKCSHARP-OPEN-001

Patches

Fixes are prepared and will be released in coordinated patch versions.

Upgrade guidance:

Upgrade MessagePack to the patched version for your release line.
Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.

The fix should either make skip traversal iterative or apply the existing depth accounting to arrays and maps encountered by TrySkip(). Any exceeded depth limit should result in a catchable serialization exception instead of process stack exhaustion.

Workarounds

Patching is recommended.

There is no complete workaround for applications that deserialize untrusted MessagePack payloads with affected versions. Reducing accepted message sizes can raise the cost of exploitation but does not remove the recursive skip behavior. Strict schema validation outside MessagePack-CSharp may help only if it rejects unknown or skipped fields before the serializer sees them.

Resources

MESSAGEPACKCSHARP-021: unbounded recursion in TrySkip()
MESSAGEPACKCSHARP-OPEN-001: duplicate/open finding for the same root cause
CWE-674: Uncontrolled Recursion

CVE split rationale

This vulnerability is independently fixable in the skip traversal implementation. It should be tracked separately from formatter-specific missing depth checks, JSON conversion recursion, and non-recursion allocation bugs.

Database specific

{
    "github_reviewed_at": "2026-06-25T18:46:24Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-674"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-06-22T22:16:47Z"
}

References

Affected packages

NuGet / MessagePack

Package

Name: MessagePack; View open source insights on deps.dev
Purl: pkg:nuget/MessagePack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.301

Affected versions

0.*

0.1.0-beta

0.2.0-beta

0.2.1-beta

0.2.2-beta

0.2.3-beta

0.3.0-beta

0.4.0

0.4.1

0.4.2

0.5.0

0.6.0

0.6.1

0.7.0

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.1.1

1.1.2

1.2.0

1.2.0.1

1.2.0.2

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.1.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.0.1

1.5.0.2

1.5.1

1.6.0

1.6.0.1

1.6.0.2

1.6.0.3

1.6.1

1.6.1.1

1.6.1.2

1.6.2

1.7.0

1.7.1

1.7.2

1.7.3

1.7.3.1

1.7.3.2

1.7.3.3

1.7.3.4

1.7.3.7

1.8.71-beta

1.8.74

1.8.80

1.9.3-g129239b107

1.9.3

1.9.11

2.*

2.0.107-alpha

2.0.108-alpha

2.0.110-alpha

2.0.110-alpha-g1e44a9106f

2.0.119-beta

2.0.123-beta

2.0.171-beta

2.0.204-beta

2.0.221-beta

2.0.231-rc

2.0.270-rc

2.0.299-rc

2.0.323

2.0.335

2.1.80

2.1.90

2.1.115

2.1.143

2.1.152

2.1.165

2.1.194

2.2.36-alpha

2.2.44-rc

2.2.60

2.2.85

2.2.113

2.3.58-alpha

2.3.73-alpha

2.3.75

2.3.85

2.3.112

2.4.14-alpha

2.4.23-alpha

2.4.35

2.4.59

2.5.64-alpha

2.5.94

2.5.103

2.5.108

2.5.124

2.5.129

2.5.140

2.5.168

2.5.171

2.5.172

2.5.187

2.5.192

2.5.198

2.5.205

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vh6j-jc39-fggf/GHSA-vh6j-jc39-fggf.json"

NuGet / MessagePack

Package

Name: MessagePack; View open source insights on deps.dev
Purl: pkg:nuget/MessagePack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0

Fixed

3.1.7

Affected versions

3.*

3.0.3

3.0.54-alpha

3.0.111-alpha

3.0.129-beta

3.0.134-beta

3.0.208-rc-0001

3.0.300

3.0.308

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-vh6j-jc39-fggf/GHSA-vh6j-jc39-fggf.json"