CVE-2025-68131

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions cbor2 versions 3.0.0 through 5.7.0

Description cbor2 is a library for encoding and decoding the Concise Binary Object Representation (CBOR) serialization format. A flaw exists where, when a CBORDecoder instance is reused across multiple decode operations, values tagged as shareable (tag 28) remain in memory. These values can then be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries.

Recommendations Update to version 5.8.0 or later.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-212

Related Identifiers

AZL-73325

CVE-2025-68131

GHSA-WCJ4-JW5J-44WH

OPENSUSE-SU-2026:10014-1

OPENSUSE-SU-2026:20468-1

PYSEC-2025-90

SUSE-SU-2026:21139-1

Affected Products

Debian

Cbor2

CVE-2025-68131

Weakness Enumeration

Related Identifiers

Affected Products

References · 30