VulnerableCode Package Details - pkg:pypi/cbor2@5.7.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-hzvc-wgwn-z3bu Aliases: CVE-2026-26209 GHSA-3c37-wwvx-h642	cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.	5.9.0 Affected by 0 other vulnerabilities.
VCID-wqk8-hznt-cbdt Aliases: CVE-2025-68131 GHSA-wcj4-jw5j-44wh PYSEC-2025-90	cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.	5.8.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hzvc-wgwn-z3bu
Aliases:
CVE-2026-26209
GHSA-3c37-wwvx-h642

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.

5.9.0
Affected by 0 other vulnerabilities.

VCID-wqk8-hznt-cbdt
Aliases:
CVE-2025-68131
GHSA-wcj4-jw5j-44wh
PYSEC-2025-90

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

5.8.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:33:02.834540+00:00	GitLab Importer	Affected by	VCID-hzvc-wgwn-z3bu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cbor2/CVE-2026-26209.yml	38.6.0
2026-06-06T06:34:13.583537+00:00	GitLab Importer	Affected by	VCID-wqk8-hznt-cbdt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cbor2/CVE-2025-68131.yml	38.6.0
2026-06-05T17:04:48.472890+00:00	PyPI Importer	Affected by	VCID-wqk8-hznt-cbdt	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-02T04:23:37.800750+00:00	Pypa Importer	Affected by	VCID-wqk8-hznt-cbdt	https://github.com/pypa/advisory-database/blob/main/vulns/cbor2/PYSEC-2025-90.yaml	38.6.0