CVE-2025-68131

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

### Summary When a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. ### Details The issue is in the decoder's handling of the shareables list, which stores values tagged with CBOR tag 28 (shareable) for later reference by tag 29 (sharedref). When decode_from_bytes() is called or when .fp is set to a new stream, the shareables list is not cleared. This allows references to persist across separate decode operations. The issue exists in both the C extension and the pure Python decoder. In the C extension (source/decoder.c), the _CBORDecoder_set_fp function (line ~202) updates the file pointer but does not reset the shareables state: ``` static int _CBORDecoder_set_fp(CBORDecoderObject *self, PyObject *value, void *closure) { // ... validation ... tmp = self->read; self->read = read; Py_DECREF(tmp); return 0; // Missing: PyList_Clear(self->shareables) or equivalent } ``` In the pure Python decoder (cbor2/_decoder.py), the fp setter similarly fails to clear self._shareables. Similarly, decode_from_bytes() in both implementations saves and restores the read pointer but does not clear the shareables list between decodes. The shareable/sharedref tags are defined in the CBOR value sharing extension (http://cbor.schmorp.de/value-sharing) with scope limited to a single CBOR data item, not across separate messages. ### PoC ``` import cbor2 from io import BytesIO # Message from trusted source containing a shareable value msg1 = cbor2.dumps(cbor2.CBORTag(28, "secret")) # Attacker-controlled message referencing index 0 msg2 = cbor2.dumps(cbor2.CBORTag(29, 0)) # Decoder reused across trust boundaries decoder = cbor2.CBORDecoder(BytesIO(b'')) decoder.decode_from_bytes(msg1) print(decoder.decode_from_bytes(msg2)) # prints "secret" ``` No special configuration required. Affects any application that reuses a CBORDecoder instance to decode messages from different sources. ### Impact Information disclosure. Applications that reuse a CBORDecoder across trust boundaries are vulnerable if the trusted messages use value sharing (tag 28) and an attacker can send messages containing shared references (tag 29). An attacker who can send a crafted CBOR message containing a sharedref tag can read values from previously decoded messages, potentially exposing sensitive data such as credentials, tokens, or private user data. ### Related A similar issue in the encoder could produce invalid CBOR with dangling shared references: ``` import cbor2 from io import BytesIO # Create encoder with value sharing enabled encoder = cbor2.CBOREncoder(BytesIO(), value_sharing=True) # Persistent object that will be encoded multiple times shared_obj = ['hello'] # First encode: array containing shared_obj twice encoder.encode([shared_obj, shared_obj]) print(f'First encode: {encoder.fp.getvalue().hex()}') # Output: d81c82d81c816568656c6c6fd81d01 # Second encode: just shared_obj encoder.fp = BytesIO() encoder.encode(shared_obj) result = encoder.fp.getvalue() print(f'Second encode: {result.hex()}') # Output: d81d01 (just a shared reference to index 1!) # Try to decode the second result as standalone CBOR decoder = cbor2.CBORDecoder(BytesIO(result)) decoded = decoder.decode() # FAILS: shared reference 1 not found ``` While primarily a correctness bug, it could cause denial of service if invalid CBOR is transmitted to downstream systems that fail to parse it, or cause silent data corruption if the dangling reference happens to resolve to an unrelated value. It can also be considered a memory leak in both the decoder and encoder as references are held that will never be released as long as the decoder/encoder remains alive. ### Suggested resolution Add dedicated boolean flags to track when an encode/decode operation is in progress. Reset shared state only when the flag is False (top-level call). This ensures state is reset for standalone calls while preserving shared references for nested calls from hooks (which need access to the registry for cyclic structures). Decoder (_decoding flag): - decode(): set flag True, reset state, decode, set flag False - decode_from_bytes(): reset state only when flag is False Encoder (_encoding flag): - encode(): set flag True, reset state, encode, set flag False - encode_to_bytes(): reset state only when flag is False

cbor2 proporciona codificación y decodificación para el formato de serialización Concise Binary Object Representation (CBOR). A partir de la versión 3.0.0 y antes de la versión 5.8.0, cuando una instancia de CBORDecoder se reutiliza en múltiples operaciones de decodificación, los valores marcados con la etiqueta compartible (28) persisten en la memoria y pueden ser accedidos por mensajes CBOR subsiguientes usando la etiqueta sharedref (29). Esto permite que un mensaje controlado por el atacante lea datos de mensajes decodificados previamente si el decodificador se reutiliza a través de límites de confianza. La versión 5.8.0 corrige el problema.