{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cbor2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cbor2"],"_cs_severities":["high"],"_cs_tags":["cbor2","denial-of-service","recursion-error","python"],"_cs_type":"advisory","_cs_vendors":["cbor2"],"content_html":"\u003cp\u003eThe \u003ccode\u003ecbor2\u003c/code\u003e library, versions 5.8.0 and earlier, is susceptible to a Denial of Service (DoS) attack stemming from uncontrolled recursion during the decoding of deeply nested CBOR structures. This affects both the pure Python implementation and the C extension (\u003ccode\u003e_cbor2\u003c/code\u003e). While the C extension uses \u003ccode\u003ePy_EnterRecursiveCall\u003c/code\u003e for recursion protection, the resulting \u003ccode\u003eRecursionError\u003c/code\u003e can terminate the service process in certain environments if not properly handled. An attacker can exploit this by sending a crafted CBOR payload containing thousands of nested arrays (e.g., \u003ccode\u003e0x81\u003c/code\u003e). When \u003ccode\u003ecbor2.loads()\u003c/code\u003e attempts to parse this malicious input, it exceeds the interpreter's recursion limit, leading to a \u003ccode\u003eRecursionError\u003c/code\u003e and subsequent process termination. This vulnerability allows for a low-bandwidth DoS, as payloads under 100KB can reliably crash worker processes faster than they can be restarted, causing a sustained outage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious CBOR payload with deeply nested arrays, such as \u003ccode\u003eb'\\x81' * DEPTH + b'\\x01'\u003c/code\u003e where DEPTH is a large number like 1000.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted CBOR payload to an application that utilizes the \u003ccode\u003ecbor2\u003c/code\u003e library for decoding CBOR data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecbor2.loads()\u003c/code\u003e function is called to decode the received CBOR payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCBORDecoder.decode()\u003c/code\u003e method is invoked, which reads the initial byte and dispatches control to a handler based on the major type (Array in this case).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edecode_array\u003c/code\u003e method iterates through the elements specified in the CBOR header, recursively calling \u003ccode\u003eself.decode()\u003c/code\u003e for each element.\u003c/li\u003e\n\u003cli\u003eDue to the deep nesting, the recursive calls to \u003ccode\u003eself.decode()\u003c/code\u003e exceed the interpreter's recursion limit.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003eRecursionError\u003c/code\u003e is raised, but may not be properly caught by the application.\u003c/li\u003e\n\u003cli\u003eThe worker process terminates, resulting in a Denial of Service. An attacker can repeatedly send these small packets to sustain the denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability impacts applications that use \u003ccode\u003ecbor2\u003c/code\u003e to parse untrusted data, potentially leading to a complete Denial of Service. Affected applications include those dealing with IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE. A successful attack allows a remote, unauthenticated attacker to repeatedly crash worker processes using small CBOR payloads (under 100KB), causing a sustained outage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003ecbor2\u003c/code\u003e greater than 5.8.0 to remediate CVE-2026-26209.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to limit the depth of CBOR structures being processed by \u003ccode\u003ecbor2.loads()\u003c/code\u003e to prevent uncontrolled recursion.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for \u003ccode\u003eRecursionError\u003c/code\u003e exceptions originating from \u003ccode\u003ecbor2\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect processes crashing due to \u003ccode\u003eRecursionError\u003c/code\u003e originating from the cbor2 library.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting and request size limits for services parsing CBOR data to mitigate the impact of DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cbor2-dos/","summary":"The cbor2 library is vulnerable to a Denial of Service (DoS) attack due to uncontrolled recursion when decoding deeply nested CBOR structures, allowing a remote attacker to crash worker processes with crafted CBOR payloads.","title":"cbor2 Denial of Service via Uncontrolled Recursion","url":"https://feed.craftedsignal.io/briefs/2024-01-cbor2-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Cbor2","version":"https://jsonfeed.org/version/1.1"}