CVE-2019-25001: Out of bounds write in serde_cbor

August 25, 2021 (updated June 13, 2023)

Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization. This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow. The flaw was corrected by limiting the allowed number of nested tags.

References

github.com/advisories/GHSA-xr7r-88qv-q7hm
github.com/pyfisch/cbor
github.com/pyfisch/cbor/commit/1aec4f9d71855dbfb223fa61ca60260400cc5d5f
github.com/pyfisch/cbor/pull/153
github.com/pyfisch/cbor/releases/tag/v0.10.2
nvd.nist.gov/vuln/detail/CVE-2019-25001
rustsec.org/advisories/RUSTSEC-2019-0025.html

Detect and mitigate CVE-2019-25001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →