Beware of Crash Vulnerability in cbor2 Python Library

CVECVE-2024-26134
CVSScvssV3_1: 7.5
SourceCVE-2024-26134

The cbor2 Python library, which is used to encode and decode data in the Concise Binary Object Representation (CBOR) format, was found to have a vulnerability that could allow remote attackers to crash services using certain versions of the library.

CBOR is a binary data serialization format similar to JSON, but designed for small code size and simple implementation. The cbor2 library is used by many Python projects and services to parse CBOR encoded data.

The vulnerability lies in how cbor2 handles parsing very long CBOR objects. By sending a crafted CBOR binary with an extremely long object, an attacker could cause the library to crash, resulting in a denial of service of the vulnerable service.

Versions 5.5.1 and earlier of cbor2 are affected. This could impact any Python app or service using those versions to read CBOR data from untrusted sources.

Users are advised to upgrade cbor2 to the latest version (5.6.2 or above) as it contains a fix for this issue. Application owners should also review any dependencies on cbor2 and consider vulnerability scanning to detect such issues. Being vigilant about keeping libraries up-to-date is key to preventing exploitation of vulnerabilities.

References