CVE-2025-68131

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-68131
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68131.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68131
Aliases
Downstream
Published
2025-12-31T01:15:36.827Z
Modified
2026-01-04T05:42:21.645078Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
CBORDecoder reuse can leak shareable values across decode calls
Details

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-212"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68131.json"
}
References

Affected packages

Git / github.com/agronholm/cbor2

Affected ranges

Type
GIT
Repo
https://github.com/agronholm/cbor2
Events
Introduced
ff91251d4c19e8c6d2298c52e664c599298f326e
Fixed
c77cea8e0d77aebdb6eea051433352a1de824ff1

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.1.2
4.2.0

5.*

5.0.0
5.0.1
5.1.0
5.1.1
5.1.2
5.2.0
5.3.0
5.4.0
5.4.1
5.4.2
5.4.2.post1
5.4.3
5.4.4
5.4.5
5.4.6
5.5.0
5.5.1
5.6.0
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.7.0
5.7.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68131.json"