Romanticpragmatism

**Name of the Vulnerable Software and Affected Versions** cbor2 versions prior to 5.9.0 **Description** The `cbor2` library is susceptible to a Denial of Service (DoS) attack due to uncontrolled recursion when decoding deeply nested CBOR structures. This affects both the pure Python implementation and the C extension ` cbor2`. The library lacks a configurable, data-driven depth limit, allowing an attacker to supply a crafted CBOR payload containing thousands of nested arrays (e.g., `0x81`) to exhaust the host application's stack resource. Sending a stream of small malicious packets can repeatedly crash worker processes, resulting in a complete Denial of Service. The vulnerability stems from the recursive design of the `CBORDecoder` class, specifically how it decodes nested container types like Arrays and Maps. The `decode array` function loops and calls `self.decode()` for each item, leading to deep recursion when parsing a payload with many nested arrays. The vulnerable code locations are in `cbor2/decoder.py` (Pure Python implementation) and `source/decoder.c` (C extension implementation). **Recommendations** Versions prior to 5.9.0 should be updated to version 5.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** pyasn1 versions prior to 0.6.3 **Description** The `pyasn1` library is susceptible to a Denial of Service (DoS) attack stemming from uncontrolled recursion when decoding ASN.1 data containing deeply nested structures. An attacker can craft a payload with numerous nested `SEQUENCE` (0x30) or `SET` (0x31) tags, utilizing "Indefinite Length" (0x80) markers. This forces the decoder into recursive calls, potentially leading to a `RecursionError` or complete memory exhaustion (OOM), ultimately causing the host application to crash. The issue arises from the decoder's recursive calls to `decodeFun` without depth limitations or tracking. Vulnerable code locations include `indefLenValueDecoder`, `valueDecoder`, and ` decodeComponentsSchemaless`. A proof-of-concept (PoC) demonstrates the ability to crash the service with a relatively small payload, potentially impacting services that rely on `pyasn1` for parsing untrusted ASN.1 data, such as LDAP, SNMP, Kerberos, and X.509 parsers. **Recommendations** Versions prior to 0.6.3 should be updated to version 0.6.3 or later to address this issue.