Nerdbank.MessagePack deserializers vulnerable to memory amplification via collection preallocation

Nerdbank.MessagePack deserializers for collection-shaped types allocate storage based on attacker-controlled element counts from MessagePack array/map headers before reading elements, enabling memory amplification attacks.

Applications using Nerdbank.MessagePack to deserialize untrusted MessagePack data into collections (arrays, dictionaries, etc.), including ASP.NET Core, SignalR, RPC, queue, or storage endpoints.

Update Nerdbank.MessagePack to a patched version that limits preallocation based on actual data size.