cbor2 Denial-of-Service Vulnerability via Deeply Nested CBOR Structures

A denial-of-service vulnerability has been identified in the cbor2 library, which provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. This issue affects versions of cbor2 through 5.8.0, including both the pure Python implementation and the C extension '_cbor2'. The vulnerability arises from uncontrolled recursion when decoding deeply nested CBOR structures, allowing an attacker to craft a payload with approximately 100,000 nested arrays. When the 'cbor2.loads()' function processes this payload, it exceeds Python's maximum recursion depth, leading to a 'RecursionError' and crashing the worker process. In many web application servers or task queues, such an unhandled 'RecursionError' immediately terminates the worker process, causing a complete denial-of-service for the application.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application fails to respond or crashes, causing disruption of service. In environments using Python web servers or task queues, the impact is particularly severe as it can cause worker processes to terminate abruptly, disrupting application functionality.

Reproduction

To reproduce this vulnerability, use the 'cbor2' library version 5.8.0 or earlier. Send a CBOR payload containing approximately 100,000 nested arrays to the 'cbor2.loads()' function. The payload can be crafted to include around 1,000 nested arrays, each containing a single integer, which will trigger the recursion limit and cause a 'RecursionError'. This can be automated with a script that sends the malicious payload to a server using 'cbor2' for decoding.

Remediation

Users can upgrade to cbor2 version 5.9.0 or later, which addresses this vulnerability by introducing a configurable maximum depth limit for decoding nested structures. Instructions for upgrading can be found in the cbor2 version 5.9.0 release notes.