SCA: security update for MessagePack (GHSA-wfr3-xj75-pfwh)

medium Tenable Self-Hosted Container Security Plugin ID 443959

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, runtime-generated union
deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do
not decrement reader.Depth around recursive deserialization and skip paths. This means union
deserialization does not consistently participate in the maximum object graph depth enforcement that
protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls
reader.Skip() on attacker-controlled data without an enclosing depth step. This vulnerability is fixed in
2.5.301 and 3.1.7. (CVE-2026-48513)

Solution

Update the MessagePack library and its related packages to version 2.5.301 or later.

See Also

https://github.com/advisories/GHSA-wfr3-xj75-pfwh

Plugin Details

Severity: Medium

ID: 443959

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/26/2026

Updated: 7/6/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-48513

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/25/2026

Vulnerability Publication Date: 6/22/2026

Reference Information

CVE: CVE-2026-48513

cwe: CWE-674