dotnet · MessagePackHeads-up
MessagePack-CSharp Typeless Deserialization Type-Disallow Bypass
MessagePack-CSharp's typeless deserialization type-disallow check is not recursive; array element types and generic type arguments bypass the outer type check.
What changed
MessagePack-CSharp's typeless deserialization type-disallow check is not recursive; array element types and generic type arguments bypass the outer type check.
Who it affects
Applications using typeless deserialization (MessagePackSerializer.Typeless, TypelessObjectResolver, etc.) with untrusted payloads.
What to do today
Upgrade MessagePack to version 2.5.301 or 3.1.7, or avoid typeless deserialization for untrusted data.
The trail
Collected→
Audited→
Written→
Published