← Back
2026-06-22 21:9CVE-2026-48516GitHub_M
PUBLISHED5.2CWE-407

MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.

Problem type

Affected products

MessagePack-CSharp

MessagePack-CSharp

>= 3.1.7, < 3.1.7 - AFFECTED

< 2.5.301 - AFFECTED

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-q2h6-ghwm-5qm8

MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings

https://github.com/advisories/GHSA-q2h6-ghwm-5qm8

Summary

InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>().

Other hash-based collection formatters use the security-aware comparer when MessagePackSecurity.UntrustedData is configured. This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture.

Impact

Applications are affected when they deserialize untrusted payloads into schemas containing ILookup<TKey,TElement> with a key type for which attacker-controlled hash collisions are feasible.

Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using MessagePackSecurity.UntrustedData.

Affected components

  • Package: MessagePack
  • API: InterfaceLookupFormatter<TKey,TElement>.Create
  • Data type: ILookup<TKey,TElement>
  • Finding ID: MESSAGEPACKCSHARP-041

Patches

Fixes are prepared and will be released in coordinated patch versions.

Upgrade guidance:

  1. Upgrade MessagePack to the patched version for your release line.
  2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.

The fix should create the internal dictionary with options.Security.GetEqualityComparer<TKey>(), matching the sibling dictionary and lookup formatter behavior.

Workarounds

Patching is recommended.

Until a patched version is available, avoid exposing ILookup<TKey,TElement> in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary.

Resources

  • MESSAGEPACKCSHARP-041: InterfaceLookupFormatter missing security comparer
  • CWE-407: Inefficient Algorithmic Complexity
github.com

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-48516

github.com

https://github.com/advisories/GHSA-q2h6-ghwm-5qm8

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-48516
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-48516",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T21:09:51.787Z",
    "dateReserved": "2026-05-21T16:18:10.619Z",
    "datePublished": "2026-06-22T21:09:51.787Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T21:09:51.787Z"
      },
      "title": "MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings",
      "descriptions": [
        {
          "lang": "en",
          "value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7."
        }
      ],
      "affected": [
        {
          "vendor": "MessagePack-CSharp",
          "product": "MessagePack-CSharp",
          "versions": [
            {
              "version": ">= 3.1.7, < 3.1.7",
              "status": "affected"
            },
            {
              "version": "< 2.5.301",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "cweId": "CWE-407",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8",
          "name": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}