Uncontrolled Recursion Affecting messagepack package, versions [,2.5.301)[3.0,3.1.7)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.23% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-MESSAGEPACK-17660968
  • published28 Jun 2026
  • disclosed25 Jun 2026
  • creditAArnott

Introduced: 25 Jun 2026

NewCVE-2026-48513  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade MessagePack to version 2.5.301, 3.1.7 or higher.

Overview

MessagePack is a MessagePack(MsgPack) Serializer for C#(.NET, .NET Core, Unity, Xamarin).

Affected versions of this package are vulnerable to Uncontrolled Recursion in the DynamicUnionResolver.BuildDeserialize process. An attacker can cause a process crash by providing a specially crafted union payload with an unknown key and deeply nested value, which bypasses configured depth limits and leads to unbounded recursion. This is only exploitable if applications deserialize untrusted payloads into object graphs containing [Union]-decorated interfaces or abstract classes handled by the dynamic resolver.

Workaround

This vulnerability can be mitigated by avoiding deserialization of untrusted payloads into dynamically resolved [Union] types, preferring source-generated formatters with depth checks, and enforcing outer message-size and schema constraints.

CVSS Base Scores

version 4.0
version 3.1