Vulnerability Description
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Agronholm | Cbor2 | >= 3.0.0, < 5.8.0 |
Related Weaknesses (CWE)
References
- https://github.com/agronholm/cbor2/pull/268ExploitPatch
- https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44whExploitVendor Advisory
- https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44whExploitVendor Advisory
FAQ
What is CVE-2025-68131?
CVE-2025-68131 is a vulnerability with a CVSS score of 7.5 (HIGH). cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reu...
How severe is CVE-2025-68131?
CVE-2025-68131 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-68131?
Check the references section above for vendor advisories and patch information. Affected products include: Agronholm Cbor2.