CVE-2024-23684: Denial of service in CBOR library

January 21, 2022 (updated January 22, 2026)

Due to this library’s use of an inefficient algorithm, it is vulnerable to a denial of service attack when a maliciously crafted input is passed to DecodeFromBytes or other CBOR decoding mechanisms in this library.

Affected versions include versions 4.0.0 through 4.5.0.

This vulnerability was privately reported to me.

References

github.com/advisories/GHSA-fj2w-wfgv-mwq6
github.com/peteroupc/CBOR-Java
github.com/peteroupc/CBOR-Java/security/advisories/GHSA-fj2w-wfgv-mwq6
nvd.nist.gov/vuln/detail/CVE-2024-23684
vulncheck.com/advisories/vc-advisory-GHSA-fj2w-wfgv-mwq6

Code Behaviors & Features

Detect and mitigate CVE-2024-23684 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →