High severityNVD Advisory· Published Dec 31, 2020· Updated Aug 5, 2024

CVE-2019-25001

Description

A stack overflow vulnerability in the serde_cbor crate (before 0.10.2) allows denial of service via specially crafted CBOR data with deeply nested semantic tags.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack overflow vulnerability in the serde_cbor crate (before 0.10.2) allows denial of service via specially crafted CBOR data with deeply nested semantic tags.

Vulnerability

The serde_cbor crate (before version 0.10.2) for Rust contains a flaw in its CBOR deserializer that can lead to uncontrolled stack consumption. The root cause is the lack of depth limiting when handling nested CBOR semantic tags. An attacker can craft input with deeply nested tags (e.g., 17(17(17(...)))), causing the deserialization routine to recurse without bound, eventually exhausting the call stack [3].

Exploitation

Exploitation requires no authentication, no user interaction, and no special privileges. The attack surface is network-based (CVSS AV:N) and the complexity is low (AC:L). Any application that uses the vulnerable serde_cbor crate to deserialize CBOR data from untrusted sources is at risk. An attacker simply sends a malicious CBOR payload; upon deserialization, the stack overflow occurs [3].

Impact

The impact is a denial of service (availability impact: high). Confidentiality and integrity are not affected. The vulnerability can crash the consuming process, making it suitable for disrupting services that rely on this crate for CBOR parsing. The issue was reported by Eric Rafaloff of Trail of Bits [4].

Mitigation

The flaw is fixed in serde_cbor version 0.10.2, released in October 2020. Users should update to at least 0.10.2. The original GitHub repository has since been archived, and the author recommends considering alternative crates such as ciborium or minicbor for new projects [1][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
serde_cborcrates.io	< 0.10.2	0.10.2

Affected products

rust/serde_cbordescription
ghsa-coords
pkg:cargo/serde_cbor
Range: < 0.10.2

Patches

1aec4f9d7185

Prevent stack overflow from nested tags

https://github.com/pyfisch/cborPyfischOct 2, 2019via ghsa

commit

2 files changed · +16 −5

src/de.rs+5 −5 modified

@@ -704,22 +704,22 @@ where
             0xbf => self.parse_indefinite_map(visitor),
 
             // Major type 6: optional semantic tagging of other major types
-            0xc0..=0xd7 => self.parse_value(visitor),
+            0xc0..=0xd7 => self.recursion_checked(|de| de.parse_value(visitor)),
             0xd8 => {
                 self.parse_u8()?;
-                self.parse_value(visitor)
+                self.recursion_checked(|de| de.parse_value(visitor))
             }
             0xd9 => {
                 self.parse_u16()?;
-                self.parse_value(visitor)
+                self.recursion_checked(|de| de.parse_value(visitor))
             }
             0xda => {
                 self.parse_u32()?;
-                self.parse_value(visitor)
+                self.recursion_checked(|de| de.parse_value(visitor))
             }
             0xdb => {
                 self.parse_u64()?;
-                self.parse_value(visitor)
+                self.recursion_checked(|de| de.parse_value(visitor))
             }
             0xdc..=0xdf => Err(self.error(ErrorCode::UnassignedCode)),

tests/de.rs+11 −0 modified

@@ -725,4 +725,15 @@ mod std_tests {
         let deserialized_ip = from_slice::<IpAddr>(&buf).unwrap();
         assert_eq!(ip, deserialized_ip);
     }
+
+    #[test]
+    fn attempt_stack_overflow() {
+        // Create a tag 17, followed by 999 more tag 17:
+        // 17(17(17(17(17(17(17(17(17(17(17(17(17(17(17(17(17(17(...
+        // This causes deep recursion in the decoder and may
+        // exhaust the stack and therfore result in a stack overflow.
+        let input = vec![0xd1; 1000];
+        let err = serde_cbor::from_slice::<serde_cbor::Value>(&input).expect_err("recursion limit");
+        assert!(err.is_syntax());
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xr7r-88qv-q7hmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-25001ghsaADVISORY
github.com/pyfisch/cbor/commit/1aec4f9d71855dbfb223fa61ca60260400cc5d5fghsaWEB
github.com/pyfisch/cbor/pull/153ghsaWEB
github.com/pyfisch/cbor/releases/tag/v0.10.2ghsaWEB
rustsec.org/advisories/RUSTSEC-2019-0025.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000