GHSA-2x83-8g95-xh59

Source

https://github.com/advisories/GHSA-2x83-8g95-xh59

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2x83-8g95-xh59/GHSA-2x83-8g95-xh59.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2x83-8g95-xh59

Aliases

CVE-2026-48511

Published

2026-06-25T19:36:23Z

Modified

2026-06-25T19:45:08.474256066Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps

Details

Summary

ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies.

For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals.

Impact

Applications are affected when they deserialize untrusted MessagePack maps into ExpandoObject using ExpandoObjectResolver or related resolver options.

A hostile payload containing many distinct keys can cause CPU exhaustion and allocation churn disproportionate to the input size. This can make a server unresponsive or exhaust memory under concurrent request load.

This is not a hash-collision attack against a configurable dictionary comparer. The super-linear behavior comes from ExpandoObject's insertion model, so MessagePackSecurity.UntrustedData does not eliminate the cost.

Affected components

Package: MessagePack
APIs: ExpandoObjectFormatter.Deserialize, ExpandoObjectResolver
Data type: System.Dynamic.ExpandoObject
Finding ID: MESSAGEPACKCSHARP-102

Patches

Fixes are prepared and will be released in coordinated patch versions.

Upgrade guidance:

Upgrade MessagePack to the patched version for your release line.
Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.

Potential fixes include applying a map-entry count limit for ExpandoObject under untrusted-data settings, buffering into a security-aware dictionary before materializing a bounded ExpandoObject, or otherwise rejecting maps large enough to trigger quadratic behavior.

Workarounds

Patching is recommended.

Until a patched version is available, avoid deserializing untrusted payloads into ExpandoObject. Prefer strongly typed DTOs or dictionaries with security-aware comparers and explicit count limits. Enforce request-size and map-entry limits at the transport or application layer.

Resources

MESSAGEPACKCSHARP-102: ExpandoObjectFormatter quadratic insertion behavior
CWE-407: Inefficient Algorithmic Complexity

Database specific

{
    "github_reviewed_at": "2026-06-25T19:36:23Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-407"
    ],
    "nvd_published_at": "2026-06-22T22:16:47Z",
    "github_reviewed": true
}

References

Affected packages

NuGet / MessagePack

Package

Name: MessagePack; View open source insights on deps.dev
Purl: pkg:nuget/MessagePack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.301

Affected versions

0.*

0.1.0-beta

0.2.0-beta

0.2.1-beta

0.2.2-beta

0.2.3-beta

0.3.0-beta

0.4.0

0.4.1

0.4.2

0.5.0

0.6.0

0.6.1

0.7.0

0.7.2

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.1.1

1.1.2

1.2.0

1.2.0.1

1.2.0.2

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.1.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.0.1

1.5.0.2

1.5.1

1.6.0

1.6.0.1

1.6.0.2

1.6.0.3

1.6.1

1.6.1.1

1.6.1.2

1.6.2

1.7.0

1.7.1

1.7.2

1.7.3

1.7.3.1

1.7.3.2

1.7.3.3

1.7.3.4

1.7.3.7

1.8.71-beta

1.8.74

1.8.80

1.9.3-g129239b107

1.9.3

1.9.11

2.*

2.0.107-alpha

2.0.108-alpha

2.0.110-alpha

2.0.110-alpha-g1e44a9106f

2.0.119-beta

2.0.123-beta

2.0.171-beta

2.0.204-beta

2.0.221-beta

2.0.231-rc

2.0.270-rc

2.0.299-rc

2.0.323

2.0.335

2.1.80

2.1.90

2.1.115

2.1.143

2.1.152

2.1.165

2.1.194

2.2.36-alpha

2.2.44-rc

2.2.60

2.2.85

2.2.113

2.3.58-alpha

2.3.73-alpha

2.3.75

2.3.85

2.3.112

2.4.14-alpha

2.4.23-alpha

2.4.35

2.4.59

2.5.64-alpha

2.5.94

2.5.103

2.5.108

2.5.124

2.5.129

2.5.140

2.5.168

2.5.171

2.5.172

2.5.187

2.5.192

2.5.198

2.5.205

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2x83-8g95-xh59/GHSA-2x83-8g95-xh59.json"

NuGet / MessagePack

Package

Name: MessagePack; View open source insights on deps.dev
Purl: pkg:nuget/MessagePack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0

Fixed

3.1.7

Affected versions

3.*

3.0.3

3.0.54-alpha

3.0.111-alpha

3.0.129-beta

3.0.134-beta

3.0.208-rc-0001

3.0.300

3.0.308

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2x83-8g95-xh59/GHSA-2x83-8g95-xh59.json"