CVE-2024-48924: 
C# vulnerability analysis and mitigation

CVE-2024-48924 affects the MessagePack-CSharp library, discovered and disclosed on October 17, 2024. The vulnerability exists in versions < 2.5.187 and >= 2.6.95-alpha, < 3.0.214-rc.1 of the library. When the library is used to deserialize messagepack data from an untrusted source, it becomes vulnerable to denial of service attacks (GitHub Advisory).

The vulnerability stems from inadequate hash collision resistance in the library's deserialization process. An attacker can craft data to produce hash collisions, which leads to disproportionate CPU consumption relative to the size of the data being deserialized. This issue is a continuation of a previous vulnerability that had an inadequate fix for the hash collision component. The vulnerability has been assigned a CVSS v4.0 score of 8.7 HIGH with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

The primary impact of this vulnerability is the potential for denial of service attacks. When processing untrusted messagepack data, attackers can cause excessive CPU consumption through crafted inputs that trigger hash collisions, potentially affecting system availability (GitHub Advisory).

The primary mitigation is to upgrade to patched versions: 2.5.187 or 3.0.214-rc.1. For users unable to upgrade, a workaround is available by implementing a custom MessagePackSecurity class that overrides the GetHashCollisionResistantEqualityComparer method with a secure hash function. This custom security implementation should be configured using MessagePackSerializerOptions and applied to all deserialization operations (GitHub Advisory).