CVE-2025-64076: Critical Vulnerabilities in cbor2 Library Expose Systems to DoS Attacks

Overview

CVE-2025-64076 details critical vulnerabilities discovered in the cbor2 library, specifically affecting versions up to 5.7.0. These vulnerabilities, present in the decode_definite_long_string() function within the C extension decoder, can be exploited to trigger denial-of-service (DoS) attacks. The issues stem from an integer underflow leading to out-of-bounds reads and a memory leak, both exploitable by sending specially crafted CBOR data. A fix has been released in version 5.7.1.

Technical Details

The vulnerabilities are located in source/decoder.c within the cbor2 library’s C extension. Here’s a breakdown:

1. Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125)

An incorrect variable reference and missing state reset within the chunk processing loop cause the buffer_length to not be reset to zero after UTF-8 character consumption. Consequently, subsequent chunk_length calculations result in negative values (e.g., chunk_length = 65536 - buffer_length). These negative values are then passed as signed integers to the read() method, potentially causing unlimited read operations and resource exhaustion. This leads to a CBORDecodeEOF exception or process crash.

2. Memory Leak via Missing Reference Count Release (CWE-401)

The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this results in cumulative memory leaks proportional to the payload size. By repeatedly processing large CBOR payloads, attackers can exhaust available memory, leading to a denial-of-service.

Both vulnerabilities are triggered by crafting CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-64076 is 7.5 (HIGH). This score reflects the high impact of the vulnerability, primarily due to the potential for denial-of-service attacks. The exploitability is considered moderate, as it requires sending specially crafted CBOR data, but no authentication is required, making it remotely exploitable.

Possible Impact

Successful exploitation of CVE-2025-64076 can lead to:

• Denial of Service (DoS): Applications using cbor2 may become unresponsive or crash due to resource exhaustion (CPU or memory).
• Process Crashes: The integer underflow vulnerability can lead to unexpected exceptions and process termination.
• Memory Exhaustion: The memory leak allows attackers to consume all available memory, forcing the affected system to become unusable.

This vulnerability affects applications processing untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors.

Mitigation and Patch Steps

The recommended mitigation is to upgrade to cbor2 version 5.7.1 or later. This version includes a fix for the vulnerabilities described in CVE-2025-64076. The fix was implemented in commit 851473490281f82d82560b2368284ef33cf6e8f9.

If upgrading is not immediately feasible, consider implementing input validation and sanitization techniques to filter out potentially malicious CBOR payloads. However, this approach is not a complete solution and upgrading remains the best course of action.

References

• CVE ID: CVE-2025-64076
• Commit Fixing the Vulnerability: https://github.com/agronholm/cbor2/commit/851473490281f82d82560b2368284ef33cf6e8f9
• Issue Reporting the Vulnerability: https://github.com/agronholm/cbor2/issues/264
• Pull Request with the Fix: https://github.com/agronholm/cbor2/pull/265