Volerion logoVolerion
Volerion logoVolerion

cbor2 CBORDecoder Shareable Value Leakage Vulnerability

Vulnerability

A vulnerability exists in the cbor2 library, specifically in versions 3.0.0 prior to 5.8.0, within the CBORDecoder component. When a CBORDecoder instance is reused for multiple decoding operations, values tagged as shareable (tag 28) can persist in memory. This allows an attacker to access these values through subsequent messages using the sharedref tag (29), potentially reading data from previously decoded messages if the decoder is used across different trust boundaries.

Impact

This vulnerability can lead to unauthorized information disclosure, allowing an attacker to access sensitive data from previously decoded messages.

Reproduction

To reproduce this vulnerability, first encode a CBOR message from a trusted source that includes a shareable value. Then, send an attacker-controlled message that references this shareable value using the sharedref tag. The CBORDecoder must be reused across trust boundaries for the attack to succeed.

Remediation

Users should update to cbor2 version 5.8.0 or later, where this vulnerability has been patched.

Added: Dec 31, 2025, 2:17 AM
Updated: Dec 31, 2025, 2:17 AM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
2.5
exploitability
6.0
remediation
7.7
relevance
1.7
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.