CVE-2026-48502 - Medium Severity Vulnerability
Vulnerable Library - messagepack.3.1.4.nupkg
Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: https://api.nuget.org/packages/messagepack.3.1.4.nupkg
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg
Dependency Hierarchy:
- enyimmemcachedcore.3.5.0.nupkg (Root Library)
- ❌ messagepack.3.1.4.nupkg (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Publish Date: 2026-06-22
URL: CVE-2026-48502
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-382j-8mxh-c7x2
Release Date: 2026-06-22
Fix Resolution: messagepack - 3.1.7,MessagePack - 3.1.7
Step up your Open Source Security Game with Mend here
CVE-2026-48502 - Medium Severity Vulnerability
Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: https://api.nuget.org/packages/messagepack.3.1.4.nupkg
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg
Dependency Hierarchy:
Found in base branch: develop
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Publish Date: 2026-06-22
URL: CVE-2026-48502
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-382j-8mxh-c7x2
Release Date: 2026-06-22
Fix Resolution: messagepack - 3.1.7,MessagePack - 3.1.7
Step up your Open Source Security Game with Mend here