MessagePack-CSharp UnsafeBlitFormatterBase Deserialization Vulnerability

UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes.

Applications using Unity blit resolvers (UnityBlitResolver or UnityBlitWithPrimitiveArrayResolver) to deserialize untrusted payloads, especially Unity multiplayer clients or servers using MessagePack-CSharp for networked values.

Upgrade MessagePack.UnityClient to the patched version for your release line and upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.