Name of the Vulnerable Software and Affected Versions CBOR library versions prior to 4.0

Description The CBOR library has a denial of service issue due to the automatic resolution of references in CBOR objects. This can cause a significant increase in memory usage when the decoded CBOR object is sent to a serialization method, potentially leading to a denial of service. The risk is higher if the system allows users to send arbitrary CBOR objects without authentication or exposes a remote endpoint for sending CBOR objects without authentication.

Recommendations For versions prior to 3.6, consider using a "limited memory stream" to decode CBOR objects to prevent excessive memory usage. For versions 3.6 and later, set resolvereferences=false in CBOREncodeOptions to disable reference resolution. For versions 3.6 and later, use the overload of CBORObject.DecodeFromBytes() that takes CBOREncodeOptions and set resolvereferences=false. Update to version 4.0 or later, which disables reference resolution by default.