CVE-2024-48924

Name of the Vulnerable Software and Affected Versions MessagePack-CSharp versions prior to 2.5.187 and 3.0.214

Description The vulnerability occurs when the library is used to deserialize messagepack data from an untrusted source, leading to a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions. This results in large CPU consumption disproportionate to the size of the data being deserialized. The issue is similar to a prior advisory, which provided an inadequate fix for the hash collision part of the vulnerability.

Recommendations To mitigate this risk, upgrade to a version of the library where a fix is available. If upgrading from v1, check out the migration guide. Review the steps in the previous advisory to ensure the application is configured for untrusted data. If upgrading MessagePack to a patched version is not an option, apply a manual workaround by declaring a class that derives from MessagePackSecurity, overriding the GetHashCollisionResistantEqualityComparer method to provide a collision-resistant hash function, and configuring MessagePackSerializerOptions with an instance of the derived type. Use the custom options object for all deserialization operations.