GHSA-q2h6-ghwm-5qm8: MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
## Summary `InterfaceLookupFormatter<TKey,TElement>` constructs an internal `Dictionary<TKey, IGrouping<TKey,TElement>>` with the default equality comparer instead of the security-aware comparer supplied by `options.Security.GetEqualityComparer<TKey>()`. Other hash-based collection formatters use the security-aware comparer when `MessagePackSecurity.UntrustedData` is configured. This formatter omission allows hash-collision CPU denial of service against `ILookup<TKey,TElement>` even when the application has opted into the untrusted-data security posture. ## Impact Applications are affected when they deserialize untrusted payloads into schemas containing `ILookup<TKey,TElement>` with a key type for which attacker-controlled hash collisions are feasible. Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using `MessagePackSecurity.UntrustedData`. ## Affected components - Package: `MessagePack` - API: `InterfaceLookupFormatter<TKey,TElement>.Create` - Data type: `ILookup<TKey,TElement>` - Finding ID: `MESSAGEPACKCSHARP-041` ## Patches Fixes are prepared and will be released in coordinated patch versions. Upgrade guidance: 1. Upgrade `MessagePack` to the patched version for your release line. 2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions. The fix should create the internal dictionary with `options.Security.GetEqualityComparer<TKey>()`, matching the sibling dictionary and lookup formatter behavior. ## Workarounds Patching is recommended. Until a patched version is available, avoid exposing `ILookup<TKey,TElement>` in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary. ## Resources - `MESSAGEPACKCSHARP-041`: `InterfaceLookupFormatter` missing security comparer - CWE-407: Inefficient Algorithmic Complexity
GHSA-q2h6-ghwm-5qm8: MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
Description
## Summary `InterfaceLookupFormatter<TKey,TElement>` constructs an internal `Dictionary<TKey, IGrouping<TKey,TElement>>` with the default equality comparer instead of the security-aware comparer supplied by `options.Security.GetEqualityComparer<TKey>()`. Other hash-based collection formatters use the security-aware comparer when `MessagePackSecurity.UntrustedData` is configured. This formatter omission allows hash-collision CPU denial of service against `ILookup<TKey,TElement>` even when the application has opted into the untrusted-data security posture. ## Impact Applications are affected when they deserialize untrusted payloads into schemas containing `ILookup<TKey,TElement>` with a key type for which attacker-controlled hash collisions are feasible. Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using `MessagePackSecurity.UntrustedData`. ## Affected components - Package: `MessagePack` - API: `InterfaceLookupFormatter<TKey,TElement>.Create` - Data type: `ILookup<TKey,TElement>` - Finding ID: `MESSAGEPACKCSHARP-041` ## Patches Fixes are prepared and will be released in coordinated patch versions. Upgrade guidance: 1. Upgrade `MessagePack` to the patched version for your release line. 2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions. The fix should create the internal dictionary with `options.Security.GetEqualityComparer<TKey>()`, matching the sibling dictionary and lookup formatter behavior. ## Workarounds Patching is recommended. Until a patched version is available, avoid exposing `ILookup<TKey,TElement>` in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary. ## Resources - `MESSAGEPACKCSHARP-041`: `InterfaceLookupFormatter` missing security comparer - CWE-407: Inefficient Algorithmic Complexity
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-q2h6-ghwm-5qm8
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48516"]
- Ecosystems
- ["NuGet"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a3ef7f327e9c79719036eda
Added to database: 06/26/2026, 22:06:43 UTC
Last updated: 06/26/2026, 22:06:43 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.