AIKIDO-2026-297437
MessagePack is vulnerable to Denial of Service (DoS)
82
High Risk
This Affects:
MessagePackTL;DR
MessagePackReader.ReadDateTime can enter a slow path that stack-allocates a buffer sized from an attacker-controlled timestamp extension length before validating the extension body. A small malformed payload can therefore trigger an uncatchable StackOverflowException when deserializing DateTime values from untrusted input. The fix validates supported timestamp extension lengths before any stack allocation and rejects oversized headers with a normal serialization exception.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and deserialize untrusted MessagePack into schemas containing DateTime or DateTimeOffset values.
Background info
MessagePack is vulnerable to Denial of Service (DoS) in versions 3.0.0 - 3.1.6.
How to fix this
Upgrade the MessagePack library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant