Vulnerability in cognee project

[ankitdn]

Bug Description

While working on cognee project, I identified a vulnerability in the cbor2 package. The issue occurs when a CBORDecoder instance is reused across multiple decode operations. Shareable values from previously decoded messages remain in memory and can be accessed by subsequent decode calls, which may result in unintended data leakage when handling untrusted CBOR input.

CVE Report
CVE Link

Steps to Reproduce

Scan the project’s dependency files using Vulert
Vulert detects CVE-2025-68131 related to reuse of CBORDecoder instances.
Review the vulnerability details showing that decoder state persists across decode operations, leading to possible information leakage.

Expected Behavior

Each CBOR decode operation should be isolated, and no data from previously decoded messages should persist or be accessible in subsequent decode operations.

Actual Behavior

Shareable values from earlier decode operations persist in the decoder instance and can be accessed via crafted CBOR payloads, leading to potential information disclosure.

Environment

Affected Package: cbor2
Affected Versions: Versions prior to 5.8.0
Patched Version: 5.8.0
CVSS Score: 5.5
Detection Method: Vulert dependency scan

Logs/Error Messages

Additional Context

No response

Pre-submission Checklist

• I have searched existing issues to ensure this bug hasn't been reported already
• I have provided a clear and detailed description of the bug
• I have included steps to reproduce the issue
• I have included my environment details

[github-actions]

Hello @ankitdn, thank you for your interest in our work!

If this is a bug report, please provide screenshots and minimum viable code to reproduce your issue, otherwise we can not help you.

[ajeebtech]

can i take this one?

[Vasilije1990]

@ankitdn fixed in this PR. Will be merged for the next release: #1967