CVE-2026-48513 - Low Severity Vulnerability
Vulnerable Library - messagepack.3.1.4.nupkg
Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: https://api.nuget.org/packages/messagepack.3.1.4.nupkg
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg
Dependency Hierarchy:
- enyimmemcachedcore.3.5.0.nupkg (Root Library)
- ❌ messagepack.3.1.4.nupkg (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
Publish Date: 2026-06-22
URL: CVE-2026-48513
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wfr3-xj75-pfwh
Release Date: 2026-06-22
Fix Resolution: messagepack - 3.1.7,messagepack - 2.5.301,MessagePack - 2.5.301,MessagePack - 3.1.7
Step up your Open Source Security Game with Mend here
CVE-2026-48513 - Low Severity Vulnerability
Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: https://api.nuget.org/packages/messagepack.3.1.4.nupkg
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg
Dependency Hierarchy:
Found in base branch: develop
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in 2.5.301 and 3.1.7.
Publish Date: 2026-06-22
URL: CVE-2026-48513
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-wfr3-xj75-pfwh
Release Date: 2026-06-22
Fix Resolution: messagepack - 3.1.7,messagepack - 2.5.301,MessagePack - 2.5.301,MessagePack - 3.1.7
Step up your Open Source Security Game with Mend here