advisory-db/crates/serde_cbor/RUSTSEC-2019-0025.md

[advisory]
id = "RUSTSEC-2019-0025"
package = "serde_cbor"
aliases = ["CVE-2019-25001"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
categories = ["crypto-failure"]
date = "2019-10-03"
keywords = ["stack-overflow", "crash", "denial-of-service"]
url = "https://github.com/pyfisch/cbor/releases/tag/v0.10.2"

[versions]
patched = [">= 0.10.2"]

Flaw in CBOR deserializer allows stack overflow

Affected versions of this crate did not properly check if semantic tags were nested excessively during deserialization.

This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow.

The flaw was corrected by limiting the allowed number of nested tags.