Listen to this Post
Intro
MessagePack-CSharp is a popular MessagePack serializer for C. Prior to versions 2.5.301 and 3.1.7, the `MessagePackReader.ReadDateTime()` method contains a critical vulnerability that allows an attacker to trigger an uncatchable StackOverflowException, crashing the host process.
The flaw resides in the timestamp extension parsing slow path. When the reader encounters a MessagePack extension type that represents a timestamp, it computes a `tokenSize` value that includes the extension body length received from the network. This `tokenSize` is then used directly in a `stackalloc` operation to allocate a buffer on the stack. Critically, the extension length is not validated against the allowed timestamp sizes (4, 8, or 12 bytes) until after this stack allocation has already been performed.
An attacker can craft a minimal payload—just a few bytes—that declares a timestamp extension with an enormous body length (e.g., 1,000,000 bytes) but sends insufficient actual data. The reader enters the slow path, computes the oversized tokenSize, and attempts to `stackalloc` a buffer of that size. Because the stack has a limited size (typically 1 MB on Windows), this allocation overflows the stack and triggers a StackOverflowException. This exception is uncatchable in .NET—it terminates the process immediately, making it a reliable denial-of-service vector.
The vulnerability is reachable through the standard formatter set; no special features like typeless serialization, LZ4 compression, or Unity resolvers are required. Security mitigations such as `MessagePackSecurity.UntrustedData` and `MaximumObjectGraphDepth` are ineffective because the crash occurs in a single stack frame, not through recursion. The issue is tracked internally as `MESSAGEPACKCSHARP-020` and is related to a broader class of stack allocation flaws (MESSAGEPACKCSHARP-CROW-MEM-001).
Patches are available in versions 2.5.301 and 3.1.7, which validate the timestamp extension length before any stack allocation. Users are strongly advised to upgrade immediately. For those unable to patch, the only effective workaround is to avoid deserializing untrusted MessagePack data that contains `DateTime` or `DateTimeOffset` fields.
DailyCVE Form:
Platform: ……. MessagePack-CSharp
Version: …….. 2.5.300/3.1.6
Vulnerability :…… Stack Overflow
Severity: ……. High (CVSS 7.5)
date: ………. 2026-06-09
Prediction: ……. Patch 2026-06-09
What Undercode Say:
Check installed MessagePack version in a .NET project
dotnet list package --include-transitive | grep MessagePack
Example output if vulnerable:
MessagePack 2.5.300
MessagePack 3.1.6
Check for known vulnerable versions in all projects
find . -name ".csproj" -exec grep -H "MessagePack" {} \;
// C code snippet demonstrating the vulnerability (conceptual)
// This is NOT a working exploit; it illustrates the flawed logic.
public DateTime ReadDateTime(ref MessagePackReader reader)
{
// Extension length read from wire (attacker-controlled)
int extensionLength = reader.ReadExtensionLength(); // e.g., 1,000,000
// VULNERABLE: stackalloc before validation
Span<byte> buffer = stackalloc byte[bash]; // Stack overflow!
// Validation happens AFTER allocation (too late)
if (extensionLength != 4 && extensionLength != 8 && extensionLength != 12)
throw new MessagePackSerializationException("Invalid timestamp length");
// ... parse timestamp ...
}
Exploit:
An attacker can send a MessagePack payload containing a timestamp extension header with an oversized `ext_length` field (e.g., 0x7FFFFFFF) and minimal or no body data. When `MessagePackReader.ReadDateTime()` processes this payload, it enters the slow path, calculates `tokenSize` using the attacker-controlled length, and attempts to allocate that many bytes on the stack with stackalloc. The stack overflow occurs before any validation or exception handling, causing the process to terminate immediately. This attack requires no authentication and can be performed over any network channel that accepts MessagePack data.
Protection:
- Upgrade to MessagePack 2.5.301 or 3.1.7 (or later) immediately.
- If upgrade is not possible, avoid deserializing untrusted MessagePack payloads into types that contain `DateTime` or `DateTimeOffset` fields.
- Enforce strict maximum message sizes at the application level and reject malformed extension payloads before they reach MessagePack-CSharp.
- Consider using a web application firewall (WAF) or API gateway to filter requests containing oversized extension headers.
Impact:
Successful exploitation leads to an uncatchable `StackOverflowException` that crashes the host process, resulting in a denial of service (DoS). The crash can be triggered with a very small payload, making the attack efficient and easy to execute. The vulnerability affects all applications that deserialize untrusted MessagePack data containing date/time fields, regardless of security settings like `UntrustedData` or MaximumObjectGraphDepth. No data corruption or privilege escalation is possible—the impact is strictly availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
