Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 333 pypi packages depend on cbor2 (74 direct, 261 indirect)
Ecosystem-wide dependent count for version 5.9.0.
DescriptionGitHub Advisory
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension _cbor2. The C extension relies on Python's internal recursion limits Py_EnterRecursiveCall rather than a data-driven depth limit, meaning it still raises RecursionError and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays 0x81. When cbor2.loads() attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a RecursionError. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled RecursionError terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
AnalysisAI
The cbor2 Python library, which implements CBOR serialization, suffers from uncontrolled recursion when decoding deeply nested CBOR structures, allowing remote attackers to trigger Denial of Service by sending crafted payloads containing approximately 100,000 nested arrays. All versions prior to 5.9.0 are affected, including both the pure Python implementation and the C extension. Attackers can crash worker processes in web servers (Gunicorn, Uvicorn) and task queues (Celery) with small malicious packets under 100KB, causing complete service outages through repeated worker crashes.
Technical ContextAI
cbor2 (CPE: cpe:2.3:a:agronholm:cbor2) is a Python library providing encoding and decoding for CBOR (Concise Binary Object Representation), a binary data serialization format defined in RFC 8949. The vulnerability stems from CWE-674 (Uncontrolled Recursion), where the library fails to enforce a hard depth limit when parsing nested CBOR structures. Both the pure Python implementation and the C extension _cbor2 are affected; the C extension relies on Python's Py_EnterRecursiveCall mechanism rather than implementing its own data-driven depth constraints. When processing deeply nested arrays (marked by CBOR byte 0x81), the recursive decoding calls exhaust either the Python interpreter's recursion limit or the stack memory, resulting in RecursionError exceptions that terminate the process. This vulnerability is triggered during the cbor2.loads() function call when parsing malicious CBOR payloads.
RemediationAI
Upgrade cbor2 to version 5.9.0 or later immediately, as documented in the release notes at https://github.com/agronholm/cbor2/releases/tag/5.9.0. The fix is implemented in commit e61a5f365ba610d5907a0ae1bc72769bba34294b (https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b) and merged via pull request #275 (https://github.com/agronholm/cbor2/pull/275). For environments where immediate patching is not feasible, implement input validation to reject CBOR payloads exceeding a reasonable size threshold (e.g., 50KB) and deploy rate limiting on endpoints accepting CBOR data to mitigate repeated crash attempts. Consider switching to alternative serialization formats (JSON, MessagePack) if CBOR is not strictly required. Review application monitoring to detect and alert on repeated worker crashes that may indicate active exploitation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14478
GHSA-3c37-wwvx-h642