CVE-2025-68131

Upstream information

CVE-2025-68131 at MITRE

Description

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

---

SUSE information

Overall state of this security issue: Analysis

This issue is currently rated as having moderate severity.

CVSS v3 Scores

CVSS detail	SUSE
Base Score	5.5
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector	Local
Attack Complexity	Low
Privileges Required	Low
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None
CVSSv3 Version	3.1

CVSS v4 Scores

CVSS detail	CNA (GitHub)	SUSE
Base Score	5.5	6.8
Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Attack Vector	Network	Local
Attack Complexity	Low	Low
Attack Requirements	None	None
Privileges Required	None	Low
User Interaction	None	None
Vulnerable System Confidentiality Impact	Low	High
Vulnerable System Integrity Impact	None	None
Vulnerable System Availability Impact	Low	None
Subsequent System Confidentiality Impact	None	None
Subsequent System Integrity Impact	None	None
Subsequent System Availability Impact	None	None
CVSSv4 Version	4.0	4.0

SUSE Bugzilla entry: 1255783 [NEW]

No SUSE Security Announcements cross referenced.

---

SUSE Timeline for this CVE

CVE page created: Wed Dec 31 04:03:11 2025
CVE page last modified: Wed Dec 31 14:38:43 2025