[deps]: Update MessagePack to 3.1.7 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
MessagePack	3.1.4 → 3.1.7

---

MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input

CVE-2026-48109 / GHSA-hv8m-jj95-wg3x

More information

Details

Impact

A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray.

The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure.

This issue affects applications that deserialize untrusted data while LZ4 compression is enabled.

Patches

The v2 versions are patched as of 2.5.301.
The v3 versions are patched as of 3.1.7.

Workarounds

Instead of upgrading, an application may take the following precautions:

1. Disable LZ4 compression for untrusted input paths (Lz4Block, Lz4BlockArray).
2. Only accept compressed payloads from strongly trusted producers.
3. Isolate deserialization in a separate process/container with restart supervision to limit availability impact.

Resources

• MESSAGEPACKCSHARP-010

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

References

• https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x
• https://github.com/advisories/GHSA-hv8m-jj95-wg3x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

MessagePack-CSharp/MessagePack-CSharp (MessagePack)

v3.1.7

What's Changed

• Add scoped to MessagePackWriter.Write(ReadOnlySpan<T>) methods by @​AArnott in #​2271
• Fix security issues in master by @​AArnott in #​2274

Security release details

This release fixes 3 high severity and 9 moderate severity security vulnerabilities.

High severity advisory fixes

• 26d4e74 GHSA-382j-8mxh-c7x2 Reject invalid DateTime ext lengths for CWE-789
• b9cb605 GHSA-vh6j-jc39-fggf Use iteration for skipping msgpack structures for CWE-674
• 719e690 GHSA-hv8m-jj95-wg3x Bound LZ4 input reads for CWE-125

Moderage severity advisory fixes

• 2b5a500 GHSA-v72x-2h86-7f8m Guard LZ4 decompression length for CWE-409
• f093bdc GHSA-qhmf-xw27-6rqr Reject nested typeless blocklist bypass for CWE-502
• f077798 GHSA-2f33-pr97-265q Default MVC input formatter to UntrustedData for CWE-1188
• 25a3493 GHSA-2x83-8g95-xh59 Limit untrusted ExpandoObject maps for CWE-407
• b414e6d GHSA-wfr3-xj75-pfwh Guard dynamic union depth for CWE-674
• 0555f07 GHSA-w567-gjr2-hm5j Validate Unity blit lengths for CWE-789
• 9b5783a GHSA-cxmj-83gh-fp49 Fix CWE-789 multidimensional array allocation validation
• f96fcf0 GHSA-q2h6-ghwm-5qm8 Use secure lookup comparer for CWE-407
• b3af7cf GHSA-cj9g-3mj2-g8vv Guard JSON conversion depth for CWE-674
• 66ad089 GHSA-cj9g-3mj2-g8vv Avoid JSON separator recursion for CWE-674
• 082ba7d GHSA-cj9g-3mj2-g8vv Guard typeless JSON depth for CWE-674

Fixes with no security advisory

• fb0fe9f Honor TypeFormatter options hooks for CWE-470
• c1c06a6 Fix WriteRawX methods to advance by written length
• 46c6a0f Fix CWE-190 map header length overflow

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.6...v3.1.7

v3.1.6

What's Changed

• Add several known unsafe 'gadgets' to the disallow list by @​AArnott in #​2270

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.5...v3.1.6

v3.1.5

What's Changed

• Remove unneeded GetTypeInfo() calls by @​Bykiev in #​2206
• Use 'Write' instead of 'WriteInt32' for union type keys by @​VictorNicollet in #​2212
• Fix various disposable issues by @​Bykiev in #​2224
• fix: prevent StackOverflow in Equals with recursive generic constraints by @​khuongntrd in #​2226
• Add more types to the default disallow list of named types to be deserialized by @​AArnott in #​2256
• Fix release workflow by @​AArnott in #​2268
• Fix Incorrect DateTimeOffset Serializer by @​T0PP1ng in #​2225
• Revert DateTimeOffset encoding change by @​AArnott in #​2262

New Contributors

• @​Bykiev made their first contribution in #​2206
• @​VictorNicollet made their first contribution in #​2212
• @​T0PP1ng made their first contribution in #​2225
• @​khuongntrd made their first contribution in #​2226

Full Changelog: MessagePack-CSharp/MessagePack-CSharp@v3.1.4...v3.1.5

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.