CVE-2025-68131

NameCVE-2025-68131
Descriptioncbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cbor2 (PTS)bullseye5.2.0-4vulnerable
bookworm5.4.6-1vulnerable
trixie5.6.5-1vulnerable
forky, sid5.7.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cbor2source(unstable)(unfixed)unimportant

Notes

https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44wh
https://github.com/agronholm/cbor2/pull/268
Fixed by: https://github.com/agronholm/cbor2/commit/fb4ee1612a8a1ac0dbd8cf2f2f6f931a4e06d824 (5.8.0)
Debian builds src:cbor2 with CBOR2_BUILD_C_EXTENSION=0 (not building C extensions)
Search for package or bug name: Reporting problems