CVSS Score: 4.0 Published: 2025-12-31 Full Report: https://cvereports.com/reports/CVE-2025-68131
A logic flaw in the popular Python cbor2 library allows sensitive data from one decoding session to persist and bleed into subsequent sessions due to improper state management of the 'Value Sharing' feature.
If you reuse a CBORDecoder instance to process messages from different users, the decoder remembers 'shareable' values (Tag 28) from the first user. A second user can reference those values (Tag 29) to extract secrets, creating a cross-context information leak.
- CWE: CWE-212 (Improper Removal of Sensitive Information)
- Attack Vector: Network
- CVSS v4.0: 4.0 (Medium)
- Exploit Status: PoC Available
- Component: cbor2 Library
- Patch Date: 2024-02-05
- Python applications using cbor2 < 5.8.0
- RPC frameworks relying on cbor2
- IoT data collectors using CBOR for telemetry
- cbor2: >= 3.0.0, < 5.8.0 (Fixed in:
5.8.0)
- Upgrade cbor2 to version 5.8.0 immediately.
- Enforce statelessness by instantiating a new CBORDecoder for every incoming message.
- Audit custom RPC or serialization layers for object reuse optimization patterns.
Remediation Steps:
- Check current version:
pip show cbor2 - Update package:
pip install --upgrade cbor2 - Verify version is >= 5.8.0
- Restart all services relying on the library to reload the code.
Generated by CVEReports - Automated Vulnerability Intelligence