CVE-2026-48511 (Low) detected in messagepack.3.1.4.nupkg

## CVE-2026-48511 - Low Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - messagepack.3.1.4.nupkg</summary>

Extremely Fast MessagePack(MsgPack) Serializer for C# (.NET Framework, .NET 6, Unity, Xamarin).
Library home page: <a href="https://api.nuget.org/packages/messagepack.3.1.4.nupkg">https://api.nuget.org/packages/messagepack.3.1.4.nupkg</a>
Path to dependency file: /src/SharpConnector.Tests/SharpConnector.Tests.csproj
Path to vulnerable library: /home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg,/home/wss-scanner/.nuget/packages/messagepack/3.1.4/messagepack.3.1.4.nupkg


Dependency Hierarchy:
 - enyimmemcachedcore.3.5.0.nupkg (Root Library)
 - :x: **messagepack.3.1.4.nupkg** (Vulnerable Library)
Found in base branch: develop

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/low_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

Publish Date: 2026-06-22
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2026-48511>CVE-2026-48511</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (3.7)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: High
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: Low

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59">https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59</a>
Release Date: 2026-06-22
Fix Resolution: messagepack - 2.5.301,messagepack - 3.1.7,MessagePack - 3.1.7,MessagePack - 2.5.301


</details>


***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2026-48511 (Low) detected in messagepack.3.1.4.nupkg #51

CVE-2026-48511 - Low Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2026-48511 (Low) detected in messagepack.3.1.4.nupkg #51

Description

CVE-2026-48511 - Low Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions