Listen to this Post
How CVE-2026-48512 Works
MessagePack-CSharp is a popular MessagePack serializer for C. Prior to versions 2.5.301 and 3.1.7, its JSON conversion helpers contained multiple recursion paths that failed to enforce a consistent depth limit. These paths exist within the JSON conversion component, distinct from normal typed MessagePack deserialization.
The vulnerability manifests through three distinct but related issues:
1. Unbounded Structural Recursion in ConvertFromJson: The `MessagePackSerializer.ConvertFromJson` method recursively processes nested JSON arrays and objects inside its internal `FromJsonCore()` function. This recursion occurs without consulting the configured `MessagePackSecurity.MaximumObjectGraphDepth` limit. An attacker can supply a deeply nested JSON payload (e.g., an array containing an array containing an array, repeated thousands of times). Each level of nesting adds a new frame to the call stack. Eventually, the stack overflows, triggering an uncatchable `StackOverflowException` that crashes the entire process.
2. Separator Self-Recursion in TinyJsonReader: The `TinyJsonReader.ReadNextToken()` method, used internally for JSON parsing, recursively consumes comma (,) and colon (:) separator characters. A malformed JSON payload containing an extremely long run of commas (e.g., [,,,,,,,,,,,,,,,,...]) causes the parser to recurse once for every separator character before it can reject the input as invalid. This allows an attacker to exhaust the stack with a relatively small payload, again leading to a crash.
3. Missing Depth Enforcement in `ConvertToJson` for Typeless Extensions: The `MessagePackSerializer.ConvertToJson` method correctly applies depth checks when converting arrays and maps. However, the typeless extension branch, which handles data encoded with the extension type ext-100, recursively calls `ToJsonCore()` without applying the `MessagePackSecurity.DepthStep(ref reader)` guard. An attacker can craft a MessagePack payload containing nested typeless extension wrappers, causing the same unbounded recursion and `StackOverflowException` during the conversion to JSON.
`MessagePackSecurity.UntrustedData` does not fully mitigate these conversion paths because the missing checks occur inside JSON conversion and tokenization branches that do not consistently use the configured depth policy. Each path allows attacker-controlled input to exhaust the process stack, resulting in a denial-of-service condition that cannot be caught by application-level exception handlers.
DailyCVE Form
Platform: …….
`MessagePack-CSharp`
Version: ……..
`< 2.5.301, < 3.1.7`
Vulnerability :……
`Uncontrolled Recursion`
Severity: …….
`7.5 (HIGH)`
date: ……….
`2026-06-22`
Prediction: here you should include expected Patch date.
`Already Patched (2026-06-22)`
What Undercode Say:
Analytics:
- Attack Vector: Network-based, unauthenticated
- Attack Complexity: High (requires crafting specific payloads)
- Privileges Required: None
- User Interaction: None
- Impact: Availability (High), Confidentiality (None), Integrity (None)
- Weakness: CWE-674: Uncontrolled Recursion
Bash Commands and Codes:
Check installed MessagePack-CSharp package version in a .NET project:
dotnet list package --include-transitive | grep MessagePack
Check version in a project file (`.csproj`):
grep -E 'PackageReference.Include="MessagePack"' .csproj
Vulnerable code pattern (C):
// POTENTIALLY VULNERABLE: ConvertFromJson on untrusted input byte[] msgpackBytes = MessagePackSerializer.ConvertFromJson(untrustedJsonString);
// POTENTIALLY VULNERABLE: ConvertToJson on untrusted MessagePack with ext-100 string json = MessagePackSerializer.ConvertToJson(untrustedMsgPackBytes);
Exploit:
- Crafted JSON (for
ConvertFromJson): A JSON array nested 20,000+ levels deep.[[[[[[[[[[[[[[[[[[[[ ... ]]]]]]]]]]]]]]]]]]]]
- Crafted JSON (for
TinyJsonReader): A malformed JSON array with a long run of commas.[,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,]
- Crafted MessagePack (for
ConvertToJson): A binary payload containing a deeply nested chain of `ext-100` typeless extension objects.
Protection:
- Immediate: Upgrade to MessagePack-CSharp version `2.5.301` or `3.1.7` or later.
- Workaround (if unable to patch immediately):
- Do not pass untrusted JSON directly to
ConvertFromJson. - Do not call `ConvertToJson` on untrusted MessagePack payloads that may contain typeless extension values.
- Validate JSON nesting depth with a separate parser that enforces depth limits before calling MessagePack-CSharp.
- Reject malformed JSON before conversion.
- Apply strict input-size limits (reduces exposure but does not remove the recursive behavior).
- Process-Level Mitigation: Implement an application-level watchdog to restart the process if a `StackOverflowException` occurs.
Impact:
- Denial of Service (DoS): An attacker can crash the application process by sending a relatively small, specially crafted payload.
- Uncatchable Exception: The resulting `StackOverflowException` cannot be caught by `try-catch` blocks, leading to immediate process termination.
- Affected Scenarios: Gateways, diagnostics endpoints, migration tools, logging paths, and any service that converts between external JSON and MessagePack payloads.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
