DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48517: CVE-2026-48517: Remote Code Execution via Typeless Deserialization Blocklist Bypass in MessagePack-CSharp

#security #cve #cybersecurity

CVE-2026-48517: Remote Code Execution via Typeless Deserialization Blocklist Bypass in MessagePack-CSharp

Vulnerability ID: CVE-2026-48517
CVSS Score: 7.5
Published: 2026-06-25

A critical vulnerability exists in MessagePack-CSharp's typeless deserialization mechanism where configured blocklists fail to recursively inspect nested types. An attacker can bypass security restrictions by wrapping unauthorized types in arrays or generic collections, allowing insecure deserialization and remote code execution.

TL;DR

MessagePack-CSharp prior to 2.5.301 and 3.1.7 fails to recursively validate elements of generic collections or arrays against type blocklists, enabling unauthenticated remote code execution via nested deserialization gadgets.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • EPSS Score: 0.00246
  • Impact: Remote Code Execution
  • Exploit Status: Proof of Concept / Theoretical
  • KEV Status: Not Listed

Affected Systems

  • MessagePack-CSharp
  • com.github.messagepack-csharp NuGet package
  • MessagePack.AspNetCoreMvcFormatter
  • Unity assets integrating MessagePack-CSharp
  • MessagePack-CSharp: < 2.5.301 (Fixed in: 2.5.301)
  • MessagePack-CSharp: >= 3.0.3, < 3.1.7 (Fixed in: 3.1.7)

Code Analysis

Commit: f093bdc

Reject nested typeless blocklist bypass for CWE-502

Commit: fb0fe9f

Honor TypeFormatter options hooks for CWE-470

Commit: 5e72f06

Merge branches resolving security vulnerabilities collectively

Commit: 1b53ae8

Bump release package version

Mitigation Strategies

  • Upgrade MessagePack-CSharp packages to 2.5.301 or 3.1.7 depending on the major version branch in use.
  • Decline the use of Typeless formatting altogether and transition to strict, contract-based or schema-based deserialization.
  • Configure deserialization options with MessagePackSecurity.UntrustedData to apply strict limitations on incoming data.
  • Ensure any custom MessagePackSerializerOptions subclasses override ThrowIfDeserializingTypeIsDisallowedCore or invoke the base method properly.

Remediation Steps:

  1. Identify all .NET project and package configuration files referencing MessagePack or MessagePack.AspNetCoreMvcFormatter.
  2. Execute the CLI command: dotnet add package MessagePack --version 3.1.7 (or 2.5.301 for legacy systems).
  3. Audit application code for custom implementations of MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed.
  4. Modify configurations to avoid setting FormatterResolver to Typeless Contract Resolvers unless absolutely necessary.

References

Read the full report for CVE-2026-48517 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)