CVE-2024-48924

### Impact<br /> <br /> When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialized.<br /> <br /> This is similar to [a prior advisory](https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf), which provided an inadequate fix for the hash collision part of the vulnerability.<br /> <br /> ### Patches<br /> <br /> The following steps are required to mitigate this risk.<br /> <br /> 1. Upgrade to a version of the library where a fix is available.<br /> 1. Review the steps in [this previous advisory](https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf) to ensure you have your application configured for untrusted data.<br /> <br /> ### Workarounds<br /> <br /> If upgrading MessagePack to a patched version is not an option for you, you may apply a manual workaround as follows:<br /> <br /> 1. Declare a class that derives from `MessagePackSecurity`.<br /> 2. Override the `GetHashCollisionResistantEqualityComparer` method to provide a collision-resistant hash function of your own and avoid calling `base.GetHashCollisionResistantEqualityComparer()`.<br /> 3. Configure a `MessagePackSerializerOptions` with an instance of your derived type by calling `WithSecurity` on an existing options object.<br /> 4. Use your custom options object for all deserialization operations. This may be by setting the `MessagePackSerializer.DefaultOptions` static property, if you call methods that rely on this default property, and/or by passing in the options object explicitly to any `Deserialize` method.<br /> <br /> ### References<br /> <br /> - Learn more about best security practices when reading untrusted data with [MessagePack 1.x](https://github.com/MessagePack-CSharp/MessagePack-CSharp/tree/v1.x#security) or [MessagePack 2.x](https://github.com/MessagePack-CSharp/MessagePack-CSharp#security).<br /> - The .NET team&amp;#39;s [discussion on hash collision vulnerabilities of their `HashCode` struct](https://github.com/GrabYourPitchforks/runtime/blob/threat_models/docs/design/security/System.HashCode.md).<br /> <br /> ### For more information<br /> <br /> If you have any questions or comments about this advisory:<br /> <br /> * [Start a public discussion](https://github.com/MessagePack-CSharp/MessagePack-CSharp/discussions)<br /> * [Email us privately](mailto:andrewarnott@live.com)