GHSA-q2h6-ghwm-5qm8
MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings
Details
## Summary
`InterfaceLookupFormatter<TKey,TElement>` constructs an internal `Dictionary<TKey, IGrouping<TKey,TElement>>` with the default equality comparer instead of the security-aware comparer supplied by `options.Security.GetEqualityComparer<TKey>()`.
Other hash-based collection formatters use the security-aware comparer when `MessagePackSecurity.UntrustedData` is configured. This formatter omission allows hash-collision CPU denial of service against `ILookup<TKey,TElement>` even when the application has opted into the untrusted-data security posture.
## Impact
Applications are affected when they deserialize untrusted payloads into schemas containing `ILookup<TKey,TElement>` with a key type for which attacker-controlled hash collisions are feasible.
Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using `MessagePackSecurity.UntrustedData`.
## Affected components
- Package: `MessagePack` - API: `InterfaceLookupFormatter<TKey,TElement>.Create` - Data type: `ILookup<TKey,TElement>` - Finding ID: `MESSAGEPACKCSHARP-041`
## Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
1. Upgrade `MessagePack` to the patched version for your release line. 2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should create the internal dictionary with `options.Security.GetEqualityComparer<TKey>()`, matching the sibling dictionary and lookup formatter behavior.
## Workarounds
Patching is recommended.
Until a patched version is available, avoid exposing `ILookup<TKey,TElement>` in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary.
## Resources
- `MESSAGEPACKCSHARP-041`: `InterfaceLookupFormatter` missing security comparer - CWE-407: Inefficient Algorithmic Complexity
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.5.301 dotnet add package MessagePack --version 2.5.301 3.0 Fixed in: 3.1.7 dotnet add package MessagePack --version 3.1.7