CVE-2026-48513: 
NixOS 취약성 분석 및 완화

CVE-2026-48513 is a depth-limit bypass vulnerability in MessagePack for C# (MessagePack-CSharp) that allows unauthenticated remote attackers to cause a Denial of Service via uncontrolled recursion during deserialization. The flaw exists in the DynamicUnionResolver-generated deserializers, which fail to enforce maximum object graph depth limits. Affected versions include all releases prior to 2.5.301 on the 2.x branch and versions 3.0.3 through 3.1.6 on the 3.x branch. The vulnerability was published on June 22, 2026, with patches released in versions 2.5.301 and 3.1.7. It carries a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).

The root cause is classified as CWE-674 (Uncontrolled Recursion). Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths, meaning they bypass the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step, allowing deeply nested payloads to exhaust the call stack. In combination with recursive skip behavior, this can terminate the process with an uncatchable StackOverflowException. The vulnerability specifically affects applications that deserialize untrusted payloads into object graphs containing [Union]-decorated interfaces or abstract classes handled by DynamicUnionResolver (GitHub Advisory).

Successful exploitation results in a Denial of Service, with high availability impact and no confidentiality or integrity impact. An unauthenticated attacker can craft a MessagePack payload with an unknown union key and a deeply nested value that bypasses configured depth limits, causing excessive memory consumption, CPU exhaustion, or an uncatchable StackOverflowException that crashes the application process. Only applications that deserialize untrusted data into [Union]-decorated types via DynamicUnionResolver are affected; there is no evidence of lateral movement or data exposure risk (GitHub Advisory, Feedly).

1. Identify target: Locate a network-accessible application that uses MessagePack for C# (versions prior to 2.5.301 or 3.0.3–3.1.6) and deserializes untrusted MessagePack data into [Union]-decorated interface or abstract class types via DynamicUnionResolver.
2. Craft malicious payload: Construct a MessagePack-encoded union payload specifying an unknown union key (one not registered in the target's union type hierarchy) paired with a deeply nested value structure (e.g., recursively nested arrays or maps).
3. Transmit payload: Send the crafted payload to the target application's deserialization endpoint (e.g., an API endpoint, message queue consumer, or network service that accepts MessagePack-encoded data).
4. Trigger depth bypass: The DynamicUnionResolver-generated deserializer processes the unknown key and calls reader.Skip() on the nested value without invoking MessagePackSecurity.DepthStep(), bypassing depth limits and recursing without bound.
5. Achieve DoS: The uncontrolled recursion exhausts the call stack, resulting in an uncatchable StackOverflowException that crashes the application process, causing a denial of service (GitHub Advisory).

• Logs: Application crash logs or event logs showing uncaught StackOverflowException originating from MessagePack deserialization code paths (e.g., DynamicUnionResolver or related IL-emitted formatters).
• Process: Sudden termination of the .NET application process without a graceful shutdown; repeated process restarts in a short time window.
• Network: Unusual or malformed MessagePack-encoded requests to API endpoints or message consumers, particularly payloads with deeply nested structures or unknown union keys; abnormally large or deeply structured serialized data in network traffic.
• Application Metrics: Spikes in CPU or memory usage immediately preceding application crashes; increased deserialization latency or timeouts correlated with specific incoming payloads (GitHub Advisory).

Upgrade MessagePack for C# to version 2.5.301 (for 2.x users) or 3.1.7 (for 3.x users), which emit DepthStep and matching reader.Depth-- cleanup in dynamic union deserializers. As a temporary workaround until patching is possible, avoid deserializing untrusted payloads into dynamically resolved [Union] types; prefer source-generated formatters that include depth checks. Additionally, enforce outer message-size and schema constraints at the application level, and consider implementing resource limits (memory caps, CPU timeouts) to reduce DoS impact (GitHub Advisory).