DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CVE-2025-68131

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-68131

Severity

Unknown

Summary

CBORDecoder reuse can leak shareable values across decode calls

Description

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-68131
  • https://github.com/advisories/GHSA-wcj4-jw5j-44wh
  • https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68131.json
  • https://github.com/agronholm/cbor2/pull/268
  • https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44wh

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal