CVE-2020-5234 is a medium-severity security vulnerability in MessagePack (nuget), affecting versions < 1.9.11. It is fixed in 1.9.11, 2.1.90.
Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing. Patches The following steps are required to mitigate this risk. Upgrade to a version of the library where a fix is available Add code to your application to put MessagePack into the defensive UntrustedData mode. Identify all MessagePack extensions that implement IMessagePackFormatter<T> implementations that do not ship with the MessagePack library to include the security mitigations. This includes those acquired from 3rd party packages and classes included directly into your project. Any AOT formatters generated with the MPC tool must be regenerated with the patched version of mpc. Review your messagepack-serializable data structures for hash-based collections that use custom or unusual types for the hashed key. See below for details on handling such situations. Review the MessagePackSecurity class to tweak any settings as necessary to strike the right balance between performance, functionality, and security. Specialized IEqualityComparer<T> implementations provide the hash collision resistance. Each type of hashed key may require a specialized implementation of its own. The patched MessagePack library includes many such implementations for primitive types commonly used as keys in hash-based collections. If your data structures use custom types as keys in these hash-based collections, putting MessagePack in UntrustedData mode may lead the deserializer to throw an exception because no safe IEqualityComparer<T> is available for your custom T type. You can provide your own safe implementation by deriving from the MessagePackSecurity class and overriding the GetHashCollisionResistantEqualityComparer<T>() method to return your own custom implementation when T matches your type, and fallback to return base.GetHashCollisionResistantEqualityComparer<T>(); for types you do not have custom implementations for. Unrelated to this advisory, but as general security guidance, you should also avoid the Typeless serializer/formatters/resolvers for untrusted data as that opens the door for the untrusted data to potentially deserialize unanticipated types that can compromise security. MessagePack 1.x users Upgrade to any 1.9.x version. When deserializing untrusted data, put MessagePack into a more secure mode with: cs MessagePackSecurity.Active = MessagePackSecurity.UntrustedData; In MessagePack v1.x this is a static property and thus the security level is shared by the entire process or AppDomain. Use MessagePack v2.1 or later for better control over the security level for your particular use. Any code produced by mpc should be regenerated with the mpc tool with the matching (patched) version. Such generated code usually is written to a file called Generated.cs. A patched Generated.cs file will typically reference the MessagePackSecurity class. Review any custom-written IMessagePackFormatter<T> implementations in your project or that you might use from 3rd party packages to ensure they also utilize the MessagePackSecurity class as required. In particular, a formatter that deserializes an object (as opposed to a primitive value) should wrap the deserialization in a using (MessagePackSecurity.DepthStep()) block. For example: cs public MyObject Deserialize(ref MessagePackReader reader, MessagePackSerializerOptions options) { if (reader.TryReadNil()) { return default; } else { using (MessagePackSecurity.DepthStep()) // STACK OVERFLOW MITIGATION { MyObject o = new MyObject(); // deserialize members of the object here. return o; } } } If your custom formatter creates hash-based collections (e.g. Dictionary<K, V> or HashSet<T>) where the hashed key comes from the messagepack data, always instantiate your collection using MessagePackSecurity.Active.GetEqualityComparer<T>() as the equality comparer: cs var collection = new HashSet<T>(MessagePackSecurity.Active.GetEqualityComparer<T>()); This ensures that when reading untrusted data, you will be using a collision-resistent hash algorithm. Learn more about best security practices when reading untrusted data with MessagePack 1.x. MessagePack 2.x users Upgrade to any 2.1.x or later version. When deserializing untrusted data, put MessagePack into a more secure mode by configuring your MessagePackSerializerOptions.Security property: cs var options = MessagePackSerializerOptions.Standard .WithSecurity(MessagePackSecurity.UntrustedData); // Pass the options explicitly for the greatest control. T object = MessagePackSerializer.Deserialize<T>(data, options); // Or set the security level as the default. MessagePackSerializer.DefaultOptions = options; Any code produced by mpc should be regenerated with the mpc tool with the matching (patched) version. Such generated code usually is written to a file called Generated.cs. A patched Generated.cs file will typically reference the Security member on the MessagePackSerializerOptions parameter. Review any custom-written IMessagePackFormatter<T> implementations in your project or that you might use from 3rd party packages to ensure they also utilize the MessagePackSecurity class as required. In particular, a formatter that deserializes an object (as opposed to a primitive value) should call options.Security.DepthStep(ref reader); before deserializing the object's members, and be sure to revert the depth step with reader.Depth--; before exiting the method. For example: cs public MyObject Deserialize(ref MessagePackReader reader, MessagePackSerializerOptions options) { if (reader.TryReadNil()) { return default; } else { options.Security.DepthStep(ref reader); // STACK OVERFLOW MITIGATION, line 1 try { MyObject o = new MyObject(); // deserialize members of the object here. return o; } finally { reader.Depth--; // STACK OVERFLOW MITIGATION, line 2 } } } If your custom formatter creates hash-based collections (e.g. Dictionary<K, V> or HashSet<T>) where the hashed key comes from the messagepack data, always instantiate your collection using options.Security.GetEqualityComparer<TKey>() as the equality comparer: cs var collection = new HashSet<T>(options.Security.GetEqualityComparer<T>()); This ensures that when reading untrusted data, you will be using a collision-resistent hash algorithm. Learn more about best security practices when reading untrusted data with MessagePack 2.x. Workarounds The security vulnerabilities are in the formatters. Avoiding the built-in formatters entirely in favor of reading messagepack primitive data directly or relying on carefully written custom formatters can provide a workaround. MessagePack v1.x users may utilize the MessagePackBinary static class directly to read the data they expect. MessagePack v2.x users may utilize the MessagePackReader struct directly to read the data they expect. References Learn more about best security practices when reading untrusted data with MessagePack 1.x or MessagePack 2.x. For more information If you have any questions or comments about this advisory: Open an issue in MessagePack-CSharp Email us
CVE-2020-5234 has a CVSS score of 4.8 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.9.11, 2.1.90). Upgrading removes the vulnerable code path.
nuget
MessagePack (< 1.9.11)MessagePack (>= 2.0.0, < 2.1.90)MessagePack.ImmutableCollection (< 1.9.11)MessagePack.ImmutableCollection (>= 2.0.0, < 2.1.90)MessagePack.ReactiveProperty (< 1.9.11)MessagePack.ReactiveProperty (>= 2.0.0, < 2.1.90)MessagePack.UnityShims (< 1.9.11)MessagePack.UnityShims (>= 2.0.0, < 2.1.90)MessagePack.Unity (< 1.9.11)MessagePack.Unity (>= 2.0.0, < 2.1.90)MessagePack → 1.9.11 (nuget)MessagePack → 2.1.90 (nuget)MessagePack.ImmutableCollection → 1.9.11 (nuget)MessagePack.ImmutableCollection → 2.1.90 (nuget)MessagePack.ReactiveProperty → 1.9.11 (nuget)MessagePack.ReactiveProperty → 2.1.90 (nuget)MessagePack.UnityShims → 1.9.11 (nuget)MessagePack.UnityShims → 2.1.90 (nuget)MessagePack.Unity → 1.9.11 (nuget)MessagePack.Unity → 2.1.90 (nuget)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2020-5234 is reachable in your applications. Explore open-source security for your team.
See if CVE-2020-5234 is reachable in your applications. Get a demo
Upgrade the following packages to resolve this vulnerability:
MessagePack to 1.9.11 or laterMessagePack to 2.1.90 or laterMessagePack.ImmutableCollection to 1.9.11 or laterMessagePack.ImmutableCollection to 2.1.90 or laterMessagePack.ReactiveProperty to 1.9.11 or laterMessagePack.ReactiveProperty to 2.1.90 or laterMessagePack.UnityShims to 1.9.11 or laterMessagePack.UnityShims to 2.1.90 or laterMessagePack.Unity to 1.9.11 or laterMessagePack.Unity to 2.1.90 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2020-5234 is a medium-severity security vulnerability in MessagePack (nuget), affecting versions < 1.9.11. It is fixed in 1.9.11, 2.1.90.
CVE-2020-5234 has a CVSS score of 4.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
MessagePack (nuget) (versions < 1.9.11)MessagePack.ImmutableCollection (nuget) (versions < 1.9.11)MessagePack.ReactiveProperty (nuget) (versions < 1.9.11)MessagePack.UnityShims (nuget) (versions < 1.9.11)MessagePack.Unity (nuget) (versions < 1.9.11)Yes. CVE-2020-5234 is fixed in 1.9.11, 2.1.90. Upgrade to this version or later.
Whether CVE-2020-5234 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
MessagePack to 1.9.11 or laterMessagePack to 2.1.90 or laterMessagePack.ImmutableCollection to 1.9.11 or laterMessagePack.ImmutableCollection to 2.1.90 or laterMessagePack.ReactiveProperty to 1.9.11 or laterMessagePack.ReactiveProperty to 2.1.90 or laterMessagePack.UnityShims to 1.9.11 or laterMessagePack.UnityShims to 2.1.90 or laterMessagePack.Unity to 1.9.11 or laterMessagePack.Unity to 2.1.90 or later