MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
PUBLISHED5.2CWE-407
MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
Problem type
Affected products
MessagePack-CSharp
MessagePack-CSharp
>= 3.1.7, < 3.1.7 - AFFECTED
< 2.5.301 - AFFECTED
References
GitHub Security Advisories
GHSA-2x83-8g95-xh59
MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps
https://github.com/advisories/GHSA-2x83-8g95-xh59Summary
ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies.
For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals.
Impact
Applications are affected when they deserialize untrusted MessagePack maps into ExpandoObject using ExpandoObjectResolver or related resolver options.
A hostile payload containing many distinct keys can cause CPU exhaustion and allocation churn disproportionate to the input size. This can make a server unresponsive or exhaust memory under concurrent request load.
This is not a hash-collision attack against a configurable dictionary comparer. The super-linear behavior comes from ExpandoObject's insertion model, so MessagePackSecurity.UntrustedData does not eliminate the cost.
Affected components
- Package:
MessagePack - APIs:
ExpandoObjectFormatter.Deserialize,ExpandoObjectResolver - Data type:
System.Dynamic.ExpandoObject - Finding ID:
MESSAGEPACKCSHARP-102
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
Potential fixes include applying a map-entry count limit for ExpandoObject under untrusted-data settings, buffering into a security-aware dictionary before materializing a bounded ExpandoObject, or otherwise rejecting maps large enough to trigger quadratic behavior.
Workarounds
Patching is recommended.
Until a patched version is available, avoid deserializing untrusted payloads into ExpandoObject. Prefer strongly typed DTOs or dictionaries with security-aware comparers and explicit count limits. Enforce request-size and map-entry limits at the transport or application layer.
Resources
MESSAGEPACKCSHARP-102:ExpandoObjectFormatterquadratic insertion behavior- CWE-407: Inefficient Algorithmic Complexity
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-48511Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-48511",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:14:54.127Z",
"dateReserved": "2026-05-21T16:18:10.618Z",
"datePublished": "2026-06-22T21:14:54.127Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:14:54.127Z"
},
"title": "MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps",
"descriptions": [
{
"lang": "en",
"value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7."
}
],
"affected": [
{
"vendor": "MessagePack-CSharp",
"product": "MessagePack-CSharp",
"versions": [
{
"version": ">= 3.1.7, < 3.1.7",
"status": "affected"
},
{
"version": "< 2.5.301",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"cweId": "CWE-407",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59",
"name": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{}
]
}
}
}