Advisories for Nuget/MessagePack package

2026

MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input

A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination …

2024

MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialized.

2020

Untrusted data can lead to DoS attack due to hash collisions and stack overflow in MessagePack

When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing.