MessagePackReader.TrySkip() Bypasses MaximumObjectGraphDepth in dotnet MessagePack

MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling configured depth checks, bypassing MessagePackSecurity.MaximumObjectGraphDepth.

Applications that deserialize untrusted MessagePack payloads when a formatter skips attacker-controlled values, including during normal object deserialization when an input includes an unknown member or extra value.

Upgrade MessagePack to the patched version for your release line and upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.