Nerdbank.MessagePack Uncontrolled Stack Allocation Vulnerability in DateTime Decoding

A vulnerability allowing uncontrolled stack allocation has been identified in Nerdbank.MessagePack, a MessagePack serialization library compatible with NativeAOT. This issue exists in versions prior to 1.1.62 and arises during the decoding of DateTime values. A malicious MessagePack payload can specify an excessively large timestamp extension length, leading the reader to allocate a user-defined number of bytes on the stack. This manipulation can cause a StackOverflowException, which is uncatchable by user code and results in process termination. The vulnerability is particularly concerning for applications that deserialize MessagePack data from untrusted sources and involve DateTime fields, as it can disrupt services or processes that rely on this data.

Impact

Exploitation of this vulnerability causes a StackOverflowException, terminating the process. This behavior can disrupt applications, services, or APIs that deserialize untrusted MessagePack data and rely on the affected process remaining active.

Reproduction

The vulnerability can be reproduced by deserializing a MessagePack payload that includes a timestamp extension with a length that exceeds the allowed sizes, such as 4, 8, or 12 bytes. This can be done using the Nerdbank.MessagePack library version prior to 1.1.62.

Remediation

Users can upgrade to Nerdbank.MessagePack version 1.1.62 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, it is recommended to avoid deserializing untrusted MessagePack payloads into types that include DateTime fields. As an alternative, MessagePack extension headers can be pre-validated before deserialization, rejecting any timestamps that do not meet the required length criteria.