Description
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
Published: 2026-03-23
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via process crash
Action: Patch
AI Analysis

Impact

cbor2, a Python library for CBOR, has an uncontrolled recursion flaw in its loads function that can trigger a RecursionError and terminate the process when decoding deeply nested CBOR payloads. The bug exists in all versions before 5.9.0, affecting both the pure‑Python implementation and the C extension. Because the library does not enforce an internal nesting limit, an attacker can craft a payload with around 100,000 nested arrays, each 0x81, which typically requires less than 100 KB of data. When the decoder attempts to parse this payload, the Python interpreter’s recursion depth limit is exceeded or the stack is exhausted, leading to a crash. The result is a denial‑of‑service for any application that uses cbor2 to parse untrusted data, such as web servers, API gateways, or task queues.

Affected Systems

The vulnerability impacts the agronholm:cbor2 library. All releases older than 5.9.0 are affected, including the pure‑Python and _cbor2 C extension implementations. Applications that depend on these versions for decoding external CBOR data—examples include web frameworks running on Gunicorn or Uvicorn, Celery workers, and any custom services that invoke cbor2.loads—are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS probability of less than 1 % suggests that active exploitation is currently unlikely. The issue is not listed in the CISA KEV catalog, further indicating limited known exploitation. An attacker who can supply a crafted CBOR payload to an application that invokes cbor2.loads may trigger a RecursionError, terminate the process, and repeatedly bring down worker or server instances. The attack does not require elevated privileges or code injection; it relies solely on forging input that exceeds the interpreter’s recursion limits. The effect is a service interruption rather than data compromise.

Generated by OpenCVE AI on March 25, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cbor2 to version 5.9.0 or later.
  • If an upgrade is not immediately possible, validate incoming CBOR payloads for nesting depth or reject payloads that exceed a safe limit.
  • Increase Python’s recursion limit cautiously (Py_RecursionLimit) only if you understand the implications for all dependent processes.
  • Monitor application logs for RecursionError occurrences and restart processes automatically if they crash.

Generated by OpenCVE AI on March 25, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3c37-wwvx-h642 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
History

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Agronholm
Agronholm cbor2
Vendors & Products Agronholm
Agronholm cbor2

Tue, 24 Mar 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension `_cbor2`. The C extension relies on Python's internal recursion limits `Py_EnterRecursiveCall` rather than a data-driven depth limit, meaning it still raises `RecursionError` and crashes the worker process when the limit is hit. While the library handles moderate nesting levels, it lacks a hard depth limit. An attacker can supply a crafted CBOR payload containing approximately 100,000 nested arrays `0x81`. When `cbor2.loads()` attempts to parse this, it hits the Python interpreter's maximum recursion depth or exhausts the stack, causing the process to crash with a `RecursionError`. Because the library does not enforce its own limits, it allows an external attacker to exhaust the host application's stack resource. In many web application servers (e.g., Gunicorn, Uvicorn) or task queues (Celery), an unhandled `RecursionError` terminates the worker process immediately. By sending a stream of these small (<100KB) malicious packets, an attacker can repeatedly crash worker processes, resulting in a complete Denial of Service for the application. Version 5.9.0 patches the issue.
Title cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
Weaknesses CWE-674
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Agronholm Cbor2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:35:35.486Z

Reserved: 2026-02-11T19:56:24.814Z

Link: CVE-2026-26209

cve-icon Vulnrichment

Updated: 2026-03-24T18:35:32.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:39.530

Modified: 2026-03-25T17:56:15.630

Link: CVE-2026-26209

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T18:53:10Z

Links: CVE-2026-26209 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:59Z

Weaknesses