Summary
InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>().
Other hash-based collection formatters use the security-aware comparer when MessagePackSecurity.UntrustedData is configured. This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture.
Impact
Applications are affected when they deserialize untrusted payloads into schemas containing ILookup<TKey,TElement> with a key type for which attacker-controlled hash collisions are feasible.
Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using MessagePackSecurity.UntrustedData.
Affected components
- Package:
MessagePack
- API:
InterfaceLookupFormatter<TKey,TElement>.Create
- Data type:
ILookup<TKey,TElement>
- Finding ID:
MESSAGEPACKCSHARP-041
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePack to the patched version for your release line.
- Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should create the internal dictionary with options.Security.GetEqualityComparer<TKey>(), matching the sibling dictionary and lookup formatter behavior.
Workarounds
Patching is recommended.
Until a patched version is available, avoid exposing ILookup<TKey,TElement> in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary.
Resources
MESSAGEPACKCSHARP-041: InterfaceLookupFormatter missing security comparer
- CWE-407: Inefficient Algorithmic Complexity
References
Summary
InterfaceLookupFormatter<TKey,TElement>constructs an internalDictionary<TKey, IGrouping<TKey,TElement>>with the default equality comparer instead of the security-aware comparer supplied byoptions.Security.GetEqualityComparer<TKey>().Other hash-based collection formatters use the security-aware comparer when
MessagePackSecurity.UntrustedDatais configured. This formatter omission allows hash-collision CPU denial of service againstILookup<TKey,TElement>even when the application has opted into the untrusted-data security posture.Impact
Applications are affected when they deserialize untrusted payloads into schemas containing
ILookup<TKey,TElement>with a key type for which attacker-controlled hash collisions are feasible.Under the default comparer, many colliding keys can degrade dictionary insertion from amortized constant time to quadratic behavior. A payload of colliding keys can consume CPU for a disproportionate amount of time. This bypasses the mitigation that developers intentionally enabled by using
MessagePackSecurity.UntrustedData.Affected components
MessagePackInterfaceLookupFormatter<TKey,TElement>.CreateILookup<TKey,TElement>MESSAGEPACKCSHARP-041Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
MessagePackto the patched version for your release line.The fix should create the internal dictionary with
options.Security.GetEqualityComparer<TKey>(), matching the sibling dictionary and lookup formatter behavior.Workarounds
Patching is recommended.
Until a patched version is available, avoid exposing
ILookup<TKey,TElement>in DTOs that deserialize untrusted data. Use collection shapes that are already protected by the security-aware comparer path, or validate and cap collection sizes at the transport boundary.Resources
MESSAGEPACKCSHARP-041:InterfaceLookupFormattermissing security comparerReferences