Listen to this Post
How CVE-2026-48511 Works
The vulnerability resides in the `ExpandoObjectFormatter.Deserialize` method of the MessagePack-CSharp library. This method is responsible for constructing a `System.Dynamic.ExpandoObject` from a MessagePack map.
The core of the issue lies in how `ExpandoObject` is populated. The deserialization process works by iterating through each entry in the MessagePack map and calling `IDictionaryExpandoObject.
Internally, `ExpandoObject` maintains its member names in array-like structures. When a new key is added, the implementation performs a linear scan of this internal array to check for duplicates before inserting the new member. If the key is new, the insertion may also trigger an array copy to accommodate the new member.
This implementation detail is the root cause of the vulnerability. For a standard map with a small number of keys, the cost of these linear scans and copies is negligible. However, an attacker can supply a malicious payload containing a map with a very large number of distinct keys.
For each key insertion, the work required is proportional to the current number of keys (O(n)). Therefore, inserting `n` keys results in a total workload proportional to 1 + 2 + 3 + ... + n, which is O(n²). This quadratic time complexity leads to excessive CPU consumption. Furthermore, the repeated array copies cause a quadratic increase in memory allocation and garbage collection pressure, leading to significant memory churn.
This behavior is particularly problematic because it can be triggered even when the `ExpandoObjectResolver.Options` are configured with MessagePackSecurity.UntrustedData. This setting is designed to protect against hash-collision attacks, but the vulnerability here is not a hash collision. It is a fundamental algorithmic inefficiency in the ExpandoObject‘s insertion model, which the security setting cannot mitigate.
DailyCVE Form
Platform: MessagePack-CSharp
Version: < 2.5.301, < 3.1.7
Vulnerability: Algorithmic Complexity (CWE-407)
Severity: Medium (CVSS 6.3)
date: 2026-06-22
Prediction: 2026-06-22 (Patch Released)
What Undercode Say
To confirm the presence of this vulnerability, a simple performance test can be conducted. The following C code snippet demonstrates the quadratic behavior by deserializing MessagePack payloads with an increasing number of keys.
using MessagePack;
using System.Diagnostics;
public static void BenchmarkDeserialization(int keyCount)
{
// Create a dictionary with 'keyCount' number of entries
var dict = new Dictionary<string, object>();
for (int i = 0; i < keyCount; i++)
{
dict[$"Key_{i}"] = i;
}
// Serialize the dictionary to MessagePack
byte[] msgpack = MessagePackSerializer.Serialize(dict);
// Measure deserialization time into ExpandoObject
var stopwatch = Stopwatch.StartNew();
var result = MessagePackSerializer.Deserialize<ExpandoObject>(msgpack);
stopwatch.Stop();
Console.WriteLine($"Keys: {keyCount}, Time: {stopwatch.ElapsedMilliseconds}ms");
}
// Run with increasing key counts: 1000, 2000, 4000, 8000
// Expected output: Time increases quadratically with keyCount.
Exploit
An attacker can exploit this vulnerability by sending a crafted MessagePack payload to an application that deserializes untrusted data into an ExpandoObject. The payload would be a MessagePack map containing a large number of distinct string keys.
The attacker does not need any special privileges or authentication to perform the attack. The exploit path is straightforward. By sending this malicious payload, the attacker can force the server to perform a quadratic amount of work, leading to high CPU usage and significant memory allocation. Under concurrent request load, this can quickly exhaust system resources, making the application unresponsive or causing it to crash.
Protection
Upgrade: The primary and recommended mitigation is to upgrade the MessagePack-CSharp library to a patched version. The vulnerability is fixed in versions 2.5.301 and 3.1.7 or later.
Limit Map Size: If an immediate upgrade is not possible, applications should validate and limit the size of maps before deserialization to prevent an attacker from sending an excessively large number of keys.
Avoid ExpandoObject: Avoid using `ExpandoObjectResolver` when processing untrusted data. Prefer using strongly typed Data Transfer Objects (DTOs) or dictionaries with security-aware comparers and explicit count limits.
Custom Converter: As a workaround, developers can write a custom converter for their project that limits the number of properties allowed before initializing the object.
Impact
Denial of Service (DoS): The primary impact is a denial of service. An attacker can cause CPU exhaustion and memory churn disproportionate to the size of the input.
Application Unresponsiveness: The high CPU and memory consumption can make a server unresponsive or cause it to crash under load.
Availability: The vulnerability compromises the availability of the application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
