Inefficient Algorithmic Complexity Affecting messagepack package, versions [,2.5.301)[3.0,3.1.7)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.23% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-MESSAGEPACK-17660966
  • published28 Jun 2026
  • disclosed25 Jun 2026
  • creditAArnott

Introduced: 25 Jun 2026

NewCVE-2026-48511  (opens in a new tab)
CWE-407  (opens in a new tab)

How to fix?

Upgrade MessagePack to version 2.5.301, 3.1.7 or higher.

Overview

MessagePack is a MessagePack(MsgPack) Serializer for C#(.NET, .NET Core, Unity, Xamarin).

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the ExpandoObjectFormatter.Deserialize process. An attacker can cause excessive CPU consumption and memory allocation by submitting a large, attacker-controlled map with many distinct keys during deserialization, leading to server unresponsiveness or resource exhaustion. This is only exploitable if untrusted MessagePack maps are deserialized into ExpandoObject using ExpandoObjectResolver or related resolver options.

Workaround

This vulnerability can be mitigated by avoiding deserialization of untrusted payloads into ExpandoObject, preferring strongly typed DTOs or dictionaries with security-aware comparers and explicit count limits, and enforcing request-size and map-entry limits at the transport or application layer.

CVSS Base Scores

version 4.0
version 3.1