Vulnerability in concordia project

[ankitdn]

While working on concordia project, I identified a vulnerability in the cbor2 package. The issue occurs when a CBORDecoder instance is reused across multiple decode operations. Shareable values from previously decoded messages remain in memory and can be accessed by subsequent decode calls, which may result in unintended data leakage when handling untrusted CBOR input.

CVE Report
CVE Link

[SagarJadhav30]

@ankitdn I identified and reproduced this issue while working on the Concordia project. The root cause appears to be persistent decoder state when CBORDecoder instances are reused, leading to potential data leakage across decode calls. I’ve submitted a CVE report and will take ownership of this issue and follow up with a fix or recommendation.