AIKIDO-2025-10756
cbor2 is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
cbor2TL;DR
Affected versions of the package are vulnerable to denial of service (DoS) because decode_definite_long_string() can drive a decoder into an unlimited read loop. The function retains an outdated buffer_size after consuming UTF-8 leftovers; on the next iteration it computes chunk_length = 65536 - buffer_size, which can become negative and is then passed unchecked to read(-1). This results in an unbounded read followed by a CBORDecodeEOF error, allowing an attacker who can feed a crafted stream to cause excessive resource consumption or crash the decoder.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
cbor2 is vulnerable to Denial of Service (DoS) in versions 5.6.0 - 5.7.0.
How to fix this
Upgrade the cbor2 library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant