CVE-2024-21909 – PeterO.Cbor versions 4.0.0 through 4.5.0 contai... (How to Fix)

Q: What is the severity of CVE-2024-21909?

CVE-2024-21909 has a CVSS score of 7.5 (HIGH). PeterO.Cbor versions 4.0.0 through 4.5.0 contain a denial of service vulnerability where specially crafted CBOR data can crash applications using the library's decoding functions. This affects any application that processes untrusted CBOR data using these vulnerable versions. Remote attackers could potentially cause service disruption without authentication.

📋 TL;DR

PeterO.Cbor versions 4.0.0 through 4.5.0 contain a denial of service vulnerability where specially crafted CBOR data can crash applications using the library's decoding functions. This affects any application that processes untrusted CBOR data using these vulnerable versions. Remote attackers could potentially cause service disruption without authentication.

💻 Affected Systems

Products:

PeterO.Cbor library

Versions: 4.0.0 through 4.5.0

Operating Systems: All platforms where .NET runs

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using PeterO.Cbor to decode CBOR data from untrusted sources is vulnerable. The vulnerability is in the core decoding functions.

📦 What is this software?

Cbor by Peteroupc

View all CVEs affecting Cbor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash or unresponsive service requiring restart, potentially affecting availability of critical systems processing CBOR data from untrusted sources.

🟠

Likely Case

Application instability or crashes when processing malicious CBOR payloads, leading to service disruption and potential data loss in active transactions.

🟢

If Mitigated

Minimal impact if input validation and rate limiting are implemented, with proper monitoring to detect and block malicious payloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory indicates remote unauthenticated exploitation is possible. Crafting malicious CBOR data requires understanding of the vulnerability but appears straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.1

Vendor Advisory: https://github.com/peteroupc/CBOR/security/advisories/GHSA-6r92-cgxc-r5fg

Restart Required: Yes

Instructions:

1. Update PeterO.Cbor NuGet package to version 4.5.1 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for CBOR data before passing to DecodeFromBytes or other decoding functions

Rate limiting and monitoring

all

Implement rate limiting on CBOR processing endpoints and monitor for abnormal patterns

🧯 If You Can't Patch

Implement network-level filtering to block or limit CBOR data from untrusted sources
Deploy application-level monitoring with automatic restart capabilities for crash detection

🔍 How to Verify

Check if Vulnerable:

Check project dependencies for PeterO.Cbor version 4.0.0-4.5.0. For .NET projects, examine packages.config or .csproj files.

Check Version:

For NuGet: `dotnet list package` or check packages.config for <package id="PeterO.Cbor" version="..." />

Verify Fix Applied:

Verify PeterO.Cbor version is 4.5.1 or later in package dependencies and application is using the updated library.

📡 Detection & Monitoring

Log Indicators:

Application crashes or unhandled exceptions in CBOR decoding functions
High error rates in CBOR processing endpoints
Abnormal memory usage patterns

Network Indicators:

Unusually large or malformed CBOR payloads
High volume of CBOR requests to vulnerable endpoints

SIEM Query:

source="application_logs" AND ("DecodeFromBytes" OR "CBOR" OR "PeterO.Cbor") AND ("crash" OR "exception" OR "error")

📊 Metadata

CVE ID: CVE-2024-21909

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-407

Published: January 3, 2024

Last Updated: November 28, 2025

🔗 References

https://github.com/advisories/GHSA-6r92-cgxc-r5fg Third Party Advisory
https://github.com/peteroupc/CBOR/commit/b4117dbbb4cd5a4a963f9d0c9aa132f033e15b95 Patch
https://github.com/peteroupc/CBOR/compare/v4.5...v4.5.1 Release Notes
https://github.com/peteroupc/CBOR/security/advisories/GHSA-6r92-cgxc-r5fg Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-6r92-cgxc-r5fg Third Party Advisory
https://github.com/advisories/GHSA-6r92-cgxc-r5fg Third Party Advisory
https://github.com/peteroupc/CBOR/commit/b4117dbbb4cd5a4a963f9d0c9aa132f033e15b95 Patch
https://github.com/peteroupc/CBOR/compare/v4.5...v4.5.1 Release Notes
https://github.com/peteroupc/CBOR/security/advisories/GHSA-6r92-cgxc-r5fg Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-6r92-cgxc-r5fg Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21909, you might also want to check these: