CVE-2026-48506 is a high-severity security vulnerability in MessagePack (nuget), affecting versions < 2.5.301. It is fixed in 2.5.301, 3.1.7.
Summary MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. Impact Applications that deserialize untrusted MessagePack payloads are affected when a formatter skips attacker-controlled values. This is a broad deserialization path and can be reached during normal object deserialization when an input includes an unknown member or extra value. The attacker does not need to target a special resolver or compression mode. A payload containing many nested single-element arrays or maps in a skipped location can exhaust the process stack. Because StackOverflowException is not catchable in normal .NET execution, this terminates the host process and can deny service to other users of the same process. MessagePackSecurity.UntrustedData does not mitigate this issue because the skip path does not participate in depth accounting. Affected components Package: MessagePack APIs: MessagePackReader.Skip, MessagePackReader.TrySkip, and formatter paths that skip unknown or ignored values Finding IDs: MESSAGEPACKCSHARP-021, duplicate/open variant MESSAGEPACKCSHARP-OPEN-001 Patches Fixes are prepared and will be released in coordinated patch versions. Upgrade guidance: Upgrade MessagePack to the patched version for your release line. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions. The fix should either make skip traversal iterative or apply the existing depth accounting to arrays and maps encountered by TrySkip(). Any exceeded depth limit should result in a catchable serialization exception instead of process stack exhaustion. Workarounds Patching is recommended. There is no complete workaround for applications that deserialize untrusted MessagePack payloads with affected versions. Reducing accepted message sizes can raise the cost of exploitation but does not remove the recursive skip behavior. Strict schema validation outside MessagePack-CSharp may help only if it rejects unknown or skipped fields before the serializer sees them. Resources MESSAGEPACKCSHARP-021: unbounded recursion in TrySkip() MESSAGEPACKCSHARP-OPEN-001: duplicate/open finding for the same root cause CWE-674: Uncontrolled Recursion CVE split rationale This vulnerability is independently fixable in the skip traversal implementation. It should be tracked separately from formatter-specific missing depth checks, JSON conversion recursion, and non-recursion allocation bugs.
CVE-2026-48506 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.5.301, 3.1.7). Upgrading removes the vulnerable code path.
nuget
MessagePack (< 2.5.301)MessagePack (>= 3.0, < 3.1.7)MessagePack → 2.5.301 (nuget)MessagePack → 3.1.7 (nuget)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-48506 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-48506 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-48506 in your environment →Upgrade the following packages to resolve this vulnerability:
MessagePack to 2.5.301 or laterMessagePack to 3.1.7 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-48506 is a high-severity security vulnerability in MessagePack (nuget), affecting versions < 2.5.301. It is fixed in 2.5.301, 3.1.7.
CVE-2026-48506 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
MessagePack (nuget) versions < 2.5.301 is affected.
Yes. CVE-2026-48506 is fixed in 2.5.301, 3.1.7. Upgrade to this version or later.
Whether CVE-2026-48506 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
MessagePack to 2.5.301 or laterMessagePack to 3.1.7 or later