Is CVE-2025-68131 actively exploited?

CVE-2025-68131 has no public evidence of in-the-wild exploitation as of 2026-01-02.

What is the CVSS score for CVE-2025-68131?

CVE-2025-68131 has a CVSS score of 5.5 (MEDIUM severity). Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

How do I patch CVE-2025-68131?

Patch guidance is available from agronholm security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-68131.

CVE-2025-68131 - remediation guidance & executive summary

Description

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.

CVSS Metrics

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Confidentiality: undefined
Integrity: undefined
Availability: undefined
Weaknesses: CWE-212

Metadata

Primary Vendor: AGRONHOLM
Published: 12/31/2025
Last Modified: 1/2/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2025-68131

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary