CVE-2019-25001 – This vulnerability in the serde

📋 TL;DR

This vulnerability in the serde_cbor Rust crate allows attackers to cause stack exhaustion through specially crafted CBOR data with deeply nested semantic tags. It affects any Rust application using serde_cbor for CBOR deserialization before version 0.10.2. Attackers can trigger denial of service by sending malicious CBOR payloads.

💻 Affected Systems

Products:

serde_cbor Rust crate

Versions: All versions before 0.10.2

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Rust application using serde_cbor for CBOR deserialization is vulnerable regardless of configuration.

📦 What is this software?

Serde Cbor by Serde Cbor Project

View all CVEs affecting Serde Cbor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to stack exhaustion leading to crashes or resource exhaustion, potentially enabling denial of service attacks against affected services.

🟠

Likely Case

Denial of service through application crashes or degraded performance when processing malicious CBOR input, affecting service availability.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated libraries preventing exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious CBOR data to vulnerable deserialization endpoints. The advisory includes proof-of-concept demonstrating the issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.2

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2019-0025.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require serde_cbor >=0.10.2
2. Run 'cargo update serde_cbor'
3. Rebuild and redeploy your application
4. Test CBOR deserialization functionality

🔧 Temporary Workarounds

Input validation and size limits

all

Implement input validation to reject CBOR data with excessive nesting depth before deserialization

Rate limiting

all

Implement rate limiting on CBOR deserialization endpoints to limit impact of DoS attempts

🧯 If You Can't Patch

Implement network-level protections like WAF rules to block suspicious CBOR payloads
Isolate vulnerable services behind load balancers with DoS protection

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or run 'cargo tree | grep serde_cbor' to see installed version. If version is <0.10.2, you are vulnerable.

Check Version:

cargo tree | grep serde_cbor

Verify Fix Applied:

After updating, verify with 'cargo tree | grep serde_cbor' shows version >=0.10.2 and test CBOR deserialization with nested data.

📡 Detection & Monitoring

Log Indicators:

Application crashes with stack overflow errors
High memory/CPU usage during CBOR processing
Repeated failed deserialization attempts

Network Indicators:

Unusually large or complex CBOR payloads to deserialization endpoints
High volume of CBOR requests from single sources

SIEM Query:

source="application.log" AND ("stack overflow" OR "out of memory") AND "serde_cbor"

📊 Metadata

CVE ID: CVE-2019-25001

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: December 31, 2020

Last Updated: November 21, 2024

🔗 References

https://rustsec.org/advisories/RUSTSEC-2019-0025.html Exploit,Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2019-0025.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25001, you might also want to check these: