Attack Chain

1. Attacker crafts a malicious MessagePack payload with an invalid timestamp extension length (not 4, 8, or 12 bytes).
2. The target application receives the malicious MessagePack payload from an untrusted source.
3. The application attempts to deserialize the MessagePack data using Nerdbank.MessagePack.
4. During deserialization, the DateTime decoder encounters the malicious timestamp extension.
5. The decoder derives tokenSize from the attacker-controlled extension length before validating its size.
6. The unvalidated size is used in a stackalloc on the streaming reader’s slow path, allocating an excessive amount of stack memory.
7. The excessive stack allocation triggers a StackOverflowException.
8. The StackOverflowException terminates the application process, resulting in a denial of service.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition due to process termination. The vulnerability affects applications deserializing MessagePack data from untrusted sources, particularly those handling long-running processes such as services, APIs, workers, or message consumers. Even small malicious payloads can trigger the vulnerability due to the attacker-controlled extension length. This could potentially disrupt critical business functions relying on affected applications.

Recommendation

• Upgrade to Nerdbank.MessagePack version 1.1.62 or later to remediate the vulnerability.
• Implement pre-validation of MessagePack extension headers, rejecting timestamp extensions with lengths other than 4, 8, or 12 bytes, as suggested in the advisory [GHSA-2cwq-pwfr-wcw3].
• Deploy the Sigma rule “Nerdbank MessagePack Suspicious Stack Allocation” to detect potential exploitation attempts in your environment.
• If immediate patching is not feasible, consider running deserialization of untrusted payloads in isolated processes that can be safely restarted, as described in [GHSA-2cwq-pwfr-wcw3].