Listen to this Post
MessagePack for C is a widely-used binary serialization framework for .NET applications. Prior to patched versions 2.5.301 and 3.1.7, the library contains a vulnerability in how runtime-generated union deserializers handle recursive depth tracking.
The `DynamicUnionResolver` emits deserialization code for types decorated with `
` attributes (interfaces or abstract classes with multiple concrete subtypes). For performance, these deserializers are generated at runtime via IL emission. The vulnerability arises because these generated deserializers do not call `MessagePackSecurity.DepthStep(ref reader)` and do not decrement `reader.Depth` around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys — where the payload specifies a union subtype that the deserializer does not recognize — the emitted deserializer calls `reader.Skip()` on attacker-controlled data without an enclosing depth step. This creates an exploitable gap where malicious data can bypass normal security checks. An attacker can provide a union payload with an unknown key and a deeply nested value. Because the generated union formatter does not enter the depth accounting scope before skipping or recursively processing the value, configured depth limits are bypassed. In combination with recursive skip behavior, this can terminate the process with an uncatchable <code>StackOverflowException</code>. This issue is narrower than the general `TrySkip()` recursion issue because it specifically concerns a formatter-generation path that fails to count union nesting. The fix involves emitting `DepthStep` and matching `reader.Depth--` cleanup in dynamic union deserializers, consistent with other recursive formatter implementations. <h2 style="color: blue;">DailyCVE Form:</h2> Platform: MessagePack-CSharp Version: < 2.5.301, < 3.1.7 Vulnerability: Missing depth-step enforcement Severity: 6.3 (CVSSv4) / 7.5 (CVSSv3.1) date: 2026-06-22 <h2 style="color: blue;">Prediction: 2026-06-23 (patches released)</h2> <h2 style="color: blue;">What Undercode Say:</h2> The following analytics and validation steps can be used to verify the vulnerability: [bash] Check MessagePack-CSharp version in your project dotnet list package --outdated | grep MessagePack Alternatively, inspect the .csproj file cat YourProject.csproj | grep -A 2 "MessagePack"
Code Review Focus: Inspect the `DynamicUnionResolver.BuildDeserialize` method in the source code. Verify that emitted IL for union deserialization includes:
// Expected pattern (present in fixed versions) ref var depthStep = ref reader.DepthStep(); // ... deserialization logic ... // Depth is automatically decremented when depthStep goes out of scope
Vulnerable Pattern (prior to fix):
// Generated deserializer does NOT call DepthStep() // Directly calls reader.Skip() without depth accounting reader.Skip(); // No depth enforcement!
Testing Payload Concept:
// Craft a MessagePack payload with an unknown union key and deep nesting
// The exact bytes depend on your union type schema
// But the structure is: map with unknown key -> deeply nested array/map
var deepPayload = new byte[] { / ... attacker-controlled bytes ... / };
var result = MessagePackSerializer.Deserialize<IMyUnion>(deepPayload);
// If depth > MaximumObjectGraphDepth, a StackOverflowException may occur
How Exploit:
- Identify an application that deserializes untrusted MessagePack data using `DynamicUnionResolver` with
[bash]-decorated types. - Craft a MessagePack payload containing a union with an unknown key (a key that does not match any registered subtype).
- Nest the value associated with that unknown key deeply — for example, an array containing arrays containing arrays, repeated thousands of times.
- Send the payload to the target application’s deserialization endpoint.
- Observe that because the generated union deserializer calls `reader.Skip()` without calling
DepthStep(), the depth limit configured in `MessagePackSecurity.MaximumObjectGraphDepth` is bypassed. - Result: The recursive skip operation exhausts the call stack, triggering an uncatchable `StackOverflowException` that terminates the process.
Protection:
| Mitigation | Description |
||-|
| Upgrade | Upgrade to MessagePack-CSharp 2.5.301 or later, or 3.1.7 or later |
| Disable DynamicUnionResolver | For untrusted data, avoid using DynamicUnionResolver; use source-generated formatters instead |
| Manual Depth Checks | Implement custom depth guards by calling `MessagePackSecurity.DepthStep` around union deserialization |
| Input Validation | Enforce outer message-size and schema constraints before deserialization |
| Network Controls | Reject malformed or excessively large payloads at the network perimeter |
Impact:
| Aspect | Description |
|–|-|
| Denial of Service | Attackers can crash the application process with a `StackOverflowException` |
| Resource Exhaustion | Unbounded recursion can exhaust system resources (stack memory) |
| Scope | Affects applications that accept untrusted MessagePack payloads and use [bash]-decorated types with `DynamicUnionResolver` |
| Exploitability | Remote attacker can influence the payload being deserialized |
| CVSS Score | 6.3 (Moderate) per CVSSv4, 7.5 (High) per CVSSv3.1 |
| CWE | CWE-674: Uncontrolled Recursion |
| Finding ID | MESSAGEPACKCSHARP-070 |
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
