Listen to this Post
How CVE-2026-48509 Works
MessagePack for C is a fast MessagePack serializer library widely used in .NET applications. The `MessagePack.AspNetCoreMvcFormatter` package provides an `MessagePackInputFormatter` class that integrates with ASP.NET Core MVC to deserialize HTTP request bodies formatted in MessagePack. This formatter is specifically designed to handle data that crosses an HTTP trust boundary—meaning it processes input from external, potentially malicious clients.
The vulnerability, tracked as CVE-2026-48509, resides in the parameterless constructor MessagePackInputFormatter(). In affected versions (prior to 2.5.301 and 3.1.7), this constructor uses default serializer options that resolve to `MessagePackSerializerOptions.Standard` with MessagePackSecurity.TrustedData. The `TrustedData` posture assumes that the input being deserialized comes from a reliable source and therefore disables certain security protections.
However, ASP.NET Core MVC request bodies are inherently untrusted inputs. For this scenario, the library provides MessagePackSecurity.UntrustedData, which enables protective measures against malicious payloads. The default use of `TrustedData` creates a dangerous mismatch between the library’s security assumptions and the actual runtime conditions in a web application.
An unauthenticated attacker can exploit this insecure default by sending crafted MessagePack request bodies. When these payloads are deserialized against models containing hash-based collections (such as Dictionary<TKey, TValue>), they can trigger algorithmic complexity attacks using colliding keys. Hash collisions cause the hash table operations to degrade from O(1) to O(n) or worse, leading to exponential time complexity and excessive CPU consumption. This results in a denial-of-service condition where the application becomes unresponsive or crashes entirely.
The vulnerability is classified under CWE-1188: Insecure Default Initialization of a Resource. It affects applications that register `new MessagePackInputFormatter()` without explicitly passing serializer options configured for untrusted data. The fix, implemented in versions 2.5.301 and 3.1.7, defaults the parameterless constructor to MessagePackSerializerOptions.Standard.WithSecurity(MessagePackSecurity.UntrustedData).
DailyCVE Form:
Platform: ……. ASP.NET Core MVC
Version: …….. < 2.5.301, < 3.1.7
Vulnerability :…… Insecure default serializer options (TrustedData)
Severity: ……. 6.3 (Medium) / CVSS:3.1 9.1 (Critical)
date: ………. 2026-06-22
Prediction: ……. 2026-07-15 (estimated patch adoption)
What Undercode Say:
Check MessagePack.AspNetCoreMvcFormatter version in your project dotnet list package --outdated | grep MessagePack Alternative: Check via NuGet package reference in .csproj grep -i "MessagePack.AspNetCoreMvcFormatter" .csproj Scan for vulnerable pattern: parameterless constructor usage grep -r "new MessagePackInputFormatter()" --include=".cs" . Check for explicit UntrustedData configuration (secure pattern) grep -r "WithSecurity(MessagePackSecurity.UntrustedData)" --include=".cs" .
Code Example – Vulnerable Registration:
// VULNERABLE: Uses parameterless constructor → TrustedData default
services.AddMvc(options =>
{
options.InputFormatters.Add(new MessagePackInputFormatter());
});
Code Example – Secure Registration (Workaround):
// SECURE: Explicitly configure UntrustedData
services.AddMvc(options =>
{
options.InputFormatters.Add(
new MessagePackInputFormatter(
MessagePackSerializerOptions.Standard.WithSecurity(
MessagePackSecurity.UntrustedData)));
});
Code Example – Secure Registration (Post-Patch):
// After upgrading to >= 2.5.301 or >= 3.1.7, parameterless constructor is safe
services.AddMvc(options =>
{
options.InputFormatters.Add(new MessagePackInputFormatter());
});
Exploit:
An attacker sends an HTTP POST request with a MessagePack-encoded body containing a dictionary with many colliding hash keys. The payload size may be small, but the deserialization process causes the hash table to degrade to worst-case performance, consuming excessive CPU resources. The attack requires no authentication and can be performed remotely over HTTP. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
Protection:
- Upgrade MessagePack-CSharp to version 2.5.301 or 3.1.7 or newer.
- Workaround: If unable to upgrade immediately, explicitly configure `MessagePackInputFormatter` with
MessagePackSecurity.UntrustedData. - Apply HTTP request-size limits to mitigate resource exhaustion risks.
4. Implement model validation appropriate for your service.
Impact:
- Denial of Service: Attackers can cause excessive CPU consumption and application unavailability.
- No Authentication Required: Unauthenticated remote attackers can exploit this vulnerability.
- Affected Components: `MessagePack.AspNetCoreMvcFormatter` package, `MessagePackInputFormatter()` parameterless constructor.
- Finding IDs: MESSAGEPACKCSHARP-OPEN-009 (duplicate: MESSAGEPACKCSHARP-095).
- CWE: CWE-1188 – Insecure Default Initialization of a Resource.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
