dotnet · MessagePackHeads-up
MessagePack: DynamicUnionResolver depth limit bypass
Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.
What changed
Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths, allowing depth limit bypass and potential StackOverflowException.
Who it affects
Applications deserializing untrusted payloads into object graphs containing [Union]-decorated interfaces or abstract classes handled by DynamicUnionResolver.
What to do today
Upgrade MessagePack to the patched version for your release line and upgrade companion packages to coordinated patched versions.
The trail
Collected→
Audited→
Written→
Published