CVE-2025-68131

Oversharing is Caring: The Persistent Memory of CVE-2025-68131

Alon Barad
Alon Barad
Software Engineer

Jan 1, 2026·5 min read·5 visits

Executive Summary (TL;DR)

If you reuse a `CBORDecoder` instance to process messages from different users, the decoder remembers 'shareable' values (Tag 28) from the first user. A second user can reference those values (Tag 29) to extract secrets, creating a cross-context information leak.

A logic flaw in the popular Python `cbor2` library allows sensitive data from one decoding session to persist and bleed into subsequent sessions due to improper state management of the 'Value Sharing' feature.

Official Patches

PyPIOfficial release containing the fix.
GitHubRelease notes for version 5.8.0.

Fix Analysis (1)

Technical Appendix

CVSS Score
4.0/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Python applications using cbor2 < 5.8.0RPC frameworks relying on cbor2IoT data collectors using CBOR for telemetry

Affected Versions Detail

Product
Affected Versions
Fixed Version
cbor2
agronholm
>= 3.0.0, < 5.8.05.8.0
AttributeDetail
CWECWE-212 (Improper Removal of Sensitive Information)
Attack VectorNetwork
CVSS v4.04.0 (Medium)
Exploit StatusPoC Available
Componentcbor2 Library
Patch Date2024-02-05

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle
Credential Access
T1005Data from Local System
Collection
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer

Known Exploits & Detection

GitHub Security AdvisoryProof of concept demonstrating cross-decoding state pollution.

Vulnerability Timeline

Patch Released (v5.8.0)
2024-02-05
Advisory Published
2024-02-06