GHSA-92vj-hp7m-gwcj

Suggest an improvement
Source
https://github.com/advisories/GHSA-92vj-hp7m-gwcj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-92vj-hp7m-gwcj/GHSA-92vj-hp7m-gwcj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-92vj-hp7m-gwcj
Published
2026-05-29T20:02:59Z
Modified
2026-05-29T20:15:13.171119126Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Nerdbank.MessagePack has Inefficient CPU Computation
Details

Impact

Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a O(n²) algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an ExpandoObject, whose Add method is implemented as an O(n) algorithm.

Patches

Update to a patched version.

If a project's ExpandoObject data requires more than 128 properties, the default limit should be changed:

this.Serializer = this.Serializer with
{
    StartingContext = this.Serializer.StartingContext with
    {
        Security = this.Serializer.StartingContext.Security with
        {
            ExpandoObjectMaxPropertyCount = 256, // Set this to whatever limit is required by your application
        },
    },
};

Workarounds

Avoid the non-default WithExpandoObjectConverter extension method when deserializing untrusted data. If deserializing untrusted data into an ExpandoObject is required, developers should write a custom converter for their project that limits the number of properties allowed before initializing the object.

Database specific 
{
    "github_reviewed_at": "2026-05-29T20:02:59Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1176"
    ]
}
References

Affected packages

NuGet / Nerdbank.MessagePack

Package

Name
Nerdbank.MessagePack
View open source insights on deps.dev
Purl
pkg:nuget/Nerdbank.MessagePack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.4

Affected versions

0.*
0.1.705-alpha-gad428877b7
0.1.734-alpha-g09268fd45c
0.2.2-alpha
0.2.34-alpha
0.2.52-alpha
0.2.82-alpha
0.2.108-alpha
0.3.2-alpha
0.3.27-alpha
0.3.38-beta
0.3.120-beta
0.3.151-beta
0.3.161-beta
0.4.5-beta
0.5.1-beta
0.5.37-beta
0.5.57-beta
0.5.72-beta
0.5.80-beta
0.6.1-beta
0.6.7-beta
0.6.27-beta
0.7.1-beta
0.8.1-rc
0.8.30-rc
0.8.46-rc
0.8.54-rc
0.8.67-rc
0.8.82-rc
0.8.90-rc
0.8.92-rc
0.8.102-rc
0.8.111-rc
0.8.128-rc
0.8.131-rc
0.9.12-rc
0.9.14-rc
0.9.23-rc
0.9.26-rc
0.9.35-rc
0.10.2-rc
0.10.7-rc
1.*
1.0.2
1.0.11
1.0.40
1.0.43
1.1.25
1.1.62
1.1.78

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-92vj-hp7m-gwcj/GHSA-92vj-hp7m-gwcj.json"