CVE-2026-48516 - Low Severity Vulnerability
Vulnerable Library - messagepack.3.1.4.nupkg
Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: https://api.nuget.org/packages/messagepack.3.1.4.nupkg
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg
Dependency Hierarchy:
- enyimmemcachedcore.3.5.0.nupkg (Root Library)
- ❌ messagepack.3.1.4.nupkg (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Publish Date: 2026-06-22
URL: CVE-2026-48516
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q2h6-ghwm-5qm8
Release Date: 2026-06-22
Fix Resolution: messagepack - 3.1.7,messagepack - 2.5.301,MessagePack - 3.1.7,MessagePack - 2.5.301
Step up your Open Source Security Game with Mend here
CVE-2026-48516 - Low Severity Vulnerability
Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: https://api.nuget.org/packages/messagepack.3.1.4.nupkg
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg
Dependency Hierarchy:
Found in base branch: develop
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Publish Date: 2026-06-22
URL: CVE-2026-48516
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-q2h6-ghwm-5qm8
Release Date: 2026-06-22
Fix Resolution: messagepack - 3.1.7,messagepack - 2.5.301,MessagePack - 3.1.7,MessagePack - 2.5.301
Step up your Open Source Security Game with Mend here