Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter constructs an internal Dictionary<TKey, IGrouping> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer(). This formatter omission allows hash-collision CPU denial of service against ILookup even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.

Severity (CVSS)

Base score6.3
SeverityMedium
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-407 — CWE-407: Inefficient Algorithmic Complexity

Affected products

VendorProductVersions
MessagePack-CSharpMessagePack-CSharp>= 3.1.7, < 3.1.7; < 2.5.301

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 23 Jun 2026 10:05 UTC.