Name of the Vulnerable Software and Affected Versions CBOR library versions prior to 4.0

Description The issue concerns the CBOR library's handling of optional tags that enable CBOR objects to contain references to objects within them. In versions earlier than 4.0, resolving those references automatically can lead to a denial of service if the references are deeply nested and used multiple times, especially when the decoded CBOR object is sent to a serialization method. The risk is higher in systems that allow users to send arbitrary CBOR objects without authentication or expose a remote endpoint for sending such objects.

Recommendations For versions prior to 3.6, consider using a workaround such as checking the CBOR object's type before encoding it, or using a "limited memory stream" to decode the CBOR object. For versions 3.6 and later, set resolvereferences=false in CBOREncodeOptions to disable reference resolution, for example: CBORObject.DecodeFromBytes(bytes, new CBOREncodeOptions("resolvereferences=false")); Update to version 4.0 or later, where reference resolution is disabled by default.