CVE-2026-48513

Source
https://cve.org/CVERecord?id=CVE-2026-48513
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48513.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48513
Aliases
Published
2026-06-22T21:12:43.104Z
Modified
2026-07-08T08:12:35.536273428Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
MessagePack-CSharp: DynamicUnionResolver generated deserializers miss depth enforcement
Details

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48513.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-674"
    ]
}
References

Affected packages

Git / github.com/messagepack-csharp/messagepack-csharp

Affected ranges

Type
GIT
Repo
https://github.com/messagepack-csharp/messagepack-csharp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.301"
        },
        {
            "introduced": "3.0.3"
        },
        {
            "fixed": "3.1.7"
        }
    ]
}

Affected versions

0.*
0.1.0-beta
0.2.0-beta
1.*
1.0.1
v1.*
v1.0.2
v1.0.3
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.2.3
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.4
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.1.2
v1.6.2
v1.7.0
v1.7.2
v1.7.3
v1.7.3.1
v1.7.3.2
v1.7.3.3
v1.7.3.4
v2.*
v2.0.110-alpha
v2.0.119-beta
v2.0.123-beta
v2.0.204-beta
v2.0.270-rc
v2.0.94-alpha
v2.1.115
v2.1.143
v2.1.152
v2.1.165
v2.1.194
v2.1.80
v2.1.90
v2.2.113
v2.2.60
v2.2.85
v2.3.75
v2.3.85
v2.4.23-alpha
v2.4.35
v2.4.59
v2.5.103
v2.5.108
v2.5.124
v2.5.129
v2.5.140
v2.5.168
v2.5.171
v2.5.172
v2.5.187
v2.5.192
v2.5.198
v2.5.94
v3.*
v3.0.3
v3.0.300
v3.0.301
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48513.json"