Oversharing is Caring: The Persistent Memory of CVE-2025-68131

Alon Barad

Software Engineer

Jan 1, 2026·5 min read·7 visits

PoC Available

Executive Summary (TL;DR)

If you reuse a `CBORDecoder` instance to process messages from different users, the decoder remembers 'shareable' values (Tag 28) from the first user. A second user can reference those values (Tag 29) to extract secrets, creating a cross-context information leak.

A logic flaw in the popular Python `cbor2` library allows sensitive data from one decoding session to persist and bleed into subsequent sessions due to improper state management of the 'Value Sharing' feature.

Attack Flow Diagram

Official Patches

PyPIOfficial release containing the fix.

GitHubRelease notes for version 5.8.0.

Fix Analysis (1)

Technical Appendix

CVSS Score

4.0/ 10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

Python applications using cbor2 < 5.8.0RPC frameworks relying on cbor2IoT data collectors using CBOR for telemetry

Affected Versions Detail

Product	Affected Versions	Fixed Version
cbor2 agronholm	>= 3.0.0, < 5.8.0	5.8.0

Attribute	Detail
CWE	CWE-212 (Improper Removal of Sensitive Information)
Attack Vector	Network
CVSS v4.0	4.0 (Medium)
Exploit Status	PoC Available
Component	cbor2 Library
Patch Date	2024-02-05

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle

Credential Access

T1005Data from Local System

Collection

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

Known Exploits & Detection

GitHub Security AdvisoryProof of concept demonstrating cross-decoding state pollution.

Vulnerability Timeline

Patch Released (v5.8.0)

2024-02-05

Advisory Published

2024-02-06