Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter constructs an internal Dictionary<TKey, IGrouping> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer(). This formatter omission allows hash-collision CPU denial of service against ILookup even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Severity (CVSS)
| Base score | 6.3 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-407 — CWE-407: Inefficient Algorithmic Complexity
Affected products
| Vendor | Product | Versions |
|---|---|---|
| MessagePack-CSharp | MessagePack-CSharp | >= 3.1.7, < 3.1.7; < 2.5.301 |
References
Generated from the official CVE List on 23 Jun 2026 10:05 UTC.