CVE-2025-64076
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-18

Last updated on: 2025-12-31

Assigner: MITRE

Description
Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2's C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-18
Last Modified
2025-12-31
Generated
2026-05-07
AI Q&A
2025-11-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64076
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agronholm cbor2 to 5.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves multiple issues in the cbor2 library up to version 5.7.0, specifically in the decode_definite_long_string() function of its C extension decoder. First, an integer underflow caused by incorrect variable handling leads to out-of-bounds reads, which can trigger unlimited read operations and resource exhaustion. Second, a memory leak occurs because the code fails to release references to Python objects during processing, causing memory exhaustion when handling large CBOR strings. Both issues can be exploited remotely by sending specially crafted CBOR data with multi-byte UTF-8 characters at specific chunk boundaries, resulting in denial of service through crashes or memory exhaustion.


How can this vulnerability impact me? :

Exploitation of this vulnerability can cause denial of service by crashing the process or exhausting system memory. This can disrupt services that use cbor2's C extension to process untrusted CBOR data, such as web APIs, IoT data collectors, and message queue processors, potentially leading to downtime or degraded performance.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade the cbor2 library to version 5.7.1 or later, where the issue has been fixed. Avoid processing untrusted CBOR data with vulnerable versions of cbor2's C extension decoder until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart