AIKIDO-2026-11178

MessagePack.AspNetCoreMvcFormatter is vulnerable to Initialization of a Resource with an Insecure Default

Initialization of a Resource with an Insecure DefaultCVE-2026-48509 Published Today

Medium Risk

This Affects:

MessagePack.AspNetCoreMvcFormatter

0.0.1 - 2.5.300

Fixed in 2.5.301

3.0.0 - 3.1.6

Fixed in 3.1.7

Are you affected? Scan for Free

TL;DR

The parameterless MessagePackInputFormatter constructor defaults to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData even though it binds HTTP request bodies. Untrusted clients can therefore deserialize request models without the hash-collision and depth mitigations intended for untrusted data. The fix defaults the parameterless constructor to MessagePackSecurity.UntrustedData.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and register the parameterless MessagePackInputFormatter without explicit untrusted-data serializer options.

Background info

MessagePack.AspNetCoreMvcFormatter is vulnerable to Initialization of a Resource with an Insecure Default in versions 0.0.1 - 2.5.300 and 3.0.0 - 3.1.6.