Listen to this Post
How CVE-2026-48516 Works
MessagePack-CSharp is a popular MessagePack serializer for C that provides formatters for various collection types. Among these is InterfaceLookupFormatter<TKey,TElement>, which handles serialization and deserialization of ILookup<TKey,TElement>. When deserializing untrusted data, developers can enable a security posture by configuring MessagePackSecurity.UntrustedData, which instructs the library to use security-aware equality comparers for hash-based collections to mitigate hash-collision denial-of-service attacks.
The vulnerability arises because `InterfaceLookupFormatteroptions.Security.GetEqualityComparer<TKey>(). This means that even when an application explicitly opts into the `UntrustedData` security posture, the `ILookup` formatter does not honor that setting.
An attacker can exploit this omission by crafting a payload containing a large number of keys that collide under the default hash comparer. Under the default comparer, inserting many colliding keys into a `Dictionary
Affected versions include all MessagePack-CSharp releases prior to 2.5.301 and prior to 3.1.7. The fix, implemented in patched versions, creates the internal dictionary using options.Security.GetEqualityComparer<TKey>(), aligning the behavior with other hash-based collection formatters.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | MessagePack-CSharp |
| Version | < 2.5.301, < 3.1.7 |
| Vulnerability | Security comparer bypass |
| Severity | Medium (CVSS 6.3) |
| Date | 2026-06-23 |
| Prediction | 2026-07-07 |
What Undercode Say
Analytics:
Check MessagePack-CSharp version in a .NET project dotnet list package --include-transitive | findstr MessagePack Alternatively, inspect the .csproj file cat YourProject.csproj | grep -i MessagePack Check for ILookup<TKey,TElement> usage in DTOs grep -r "ILookup<" --include=".cs" .
Exploit:
// Attacker-controlled payload with colliding hash keys
// Under default equality comparer, these keys cause O(n^2) insertion time
var maliciousPayload = new Dictionary<string, object>
{
{ "Aa", "value1" }, // Collides with "BB" under some default hash implementations
{ "BB", "value2" },
// ... thousands of colliding keys
};
// Serialize and send to a vulnerable endpoint that deserializes into ILookup<string, TElement>
Protection:
// Upgrade to patched version // PackageReference to MessagePack 2.5.301 or 3.1.7 <PackageReference Include="MessagePack" Version="2.5.301" /> // If upgrade is not immediately possible, avoid exposing ILookup<TKey,TElement> in DTOs // that deserialize untrusted data. Use Dictionary<TKey, TElement> or List<T> instead, // which are protected by the security-aware comparer path. // Implement request throttling or CPU quotas around serialization
Impact:
– Denial of Service: An attacker can cause CPU exhaustion by sending a payload with colliding keys, making the application unresponsive.
– Bypass of Security Posture: Applications that explicitly enable `MessagePackSecurity.UntrustedData` remain vulnerable because the `ILookup` formatter ignores the security setting.
– Affected Scenarios: Any application that deserializes untrusted data into schemas containing `ILookup
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
