Version history
This library adheres to Semantic Versioning 2.0.
5.9.0 (2026-03-22)
Added the
max_depthdecoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)Changed the default
read_sizefrom 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passingread_size=4096when they don’t need to access the stream directly after decoding. Added a direct read path forread_size=1to avoid buffer management overhead. (#275; PR by @andreer)Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#254)
Fixed a missed check for an exception in the C implementation of
CBOREncoder.encode_shared()(#287)Fixed two reference/memory leaks in the C extension’s long string decoder (#290 PR by @killiancowan82)
Fixed C decoder ignoring the
str_errorssetting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#255; PR by @andreer)
5.8.0 (2025-12-30)
Added readahead buffering to C decoder for improved performance. The decoder now uses a 4 KB buffer by default to reduce the number of read calls. Benchmarks show 20-140% performance improvements for decoding operations. (#268; PR by @andreer)
Fixed Python decoder not preserving share index when decoding array items containing nested shareable tags, causing shared references to resolve to wrong objects (#267; PR by @andreer)
Reset shared reference state at the start of each top-level encode/decode operation (#266; PR by @andreer)
5.7.1 (2025-10-24)
Improved performance on decoding large definite bytestrings (#240; PR by @dwpaley)
Fixed a read(-1) vulnerability caused by boundary handling error (#264; PR by @tylzh97)
5.7.0 (2025-08-14)
Added support for Python 3.14 (no free-threading support yet, sorry)
Dropped support for Python 3.8 (#247; PR by @hugovk)
Added support for encoding indefinite containers (#256; PR by @CZDanol)
Added complex number support (tag 43000) (#249; PR by @chillenb)
5.6.5 (2024-10-09)
Published binary wheels for Python 3.13
5.6.4 (2024-06-06)
Fixed compilation of C extension failing on GCC 14
Fixed compiler warnings when building C extension
5.6.3 (2024-04-11)
Fixed decoding of epoch-based dates being affected by the local time zone in the C extension
5.6.2 (2024-02-19)
Fixed
__hash__()of the C version of theCBORTagtype crashing when there’s a recursive reference cycleFixed type annotation for the file object in
cbor2.dump(),cbor2.load(),CBOREncoderandCBORDecoderto beIO[bytes]instead ofBytesIOWorked around a CPython bug that caused a
SystemErrorto be raised, or even a buffer overflow to occur when decoding a long text string that contained only ASCII charactersChanged the return type annotations of
cbor2.load()andcbor2.load()to returnAnyinstead ofobjectso as not to force users to make type casts
5.6.1 (2024-02-01)
Fixed use-after-free in the decoder’s C version when prematurely encountering the end of stream
Fixed the C version of the decoder improperly raising
CBORDecodeEOFwhen decoding a text string longer than 65536 bytes
5.6.0 (2024-01-17)
Added the
cbor2command line tool (forpipx run cbor2)Added support for native date encoding (bschoenmaeckers)
Made the C extension mandatory when the environment variable
CBOR2_BUILD_C_EXTENSIONis set to1.Fixed
SystemErrorin the C extension when decoding aFractionalwith a bad number of arguments or a non-tuple valueFixed
SystemErrorin the C extension when the decoder object hook raises an exceptionFixed a segmentation fault when decoding invalid unicode data
Fixed infinite recursion when trying to hash a CBOR tag whose value points to the tag itself
Fixed
MemoryErrorwhen maliciously constructed bytestrings or string (declared to be absurdly large) are being decodedFixed
UnicodeDecodeErrorfrom failed parsing of a UTF-8 text string not being wrapped asCBORDecodeValueErrorFixed
TypeErrororZeroDivisionErrorfrom a failed decoding ofFractionnot being wrapped asCBORDecodeValueErrorFixed
TypeErrororValueErrorfrom a failed decoding ofUUIDnot being wrapped asCBORDecodeValueErrorFixed
TypeErrorfrom a failed decoding ofMIMEMessagenot being wrapped asCBORDecodeValueErrorFixed
OverflowError,OSErrororValueErrorfrom a failed decoding of epoch-baseddatetimenot being wrapped asCBORDecodeValueError
5.5.1 (2023-11-02)
Fixed
CBORSimpleValueallowing the use of reserved values (24 to 31) which resulted in invalid byte sequencesFixed encoding of simple values from 20 to 23 producing the wrong byte sequences
5.5.0 (2023-10-21)
The
cbor2.encoder,cbor2.decoderorcbor2.typesmodules were deprecated – import their contents directly fromcbor2from now on. The old modules will be removed in the next major release.Added support for Python 3.12
Added type annotations
Dropped support for Python 3.7
Fixed bug in the
fpattribute of the built-in version ofCBORDecoderandCBOREncoderwhere the getter returns an invalid pointer if thereadmethod of the file was a built-in method
5.4.6 (2022-12-07)
Fix MemoryError when decoding Tags on 32bit architecture. (Sekenre)
5.4.5 (2022-11-29)
Added official Python 3.11 support (agronholm)
Raise proper exception on invalid bignums (Øyvind Rønningstad)
Make Tagged item usable as a map key (Niels Mündler)
Eliminate potential memory leak in tag handling (Niels Mündler)
Documentation tweaks (Adam Johnson)
5.4.4 (2022-11-28)
REMOVED Due to potential memory leak bug
5.4.3 (2022-05-03)
Removed support for Python < 3.7
Various build system improvements for binary wheels (agronholm)
Migrated project to use
pyproject.tomland pre-commit hooks (agronholm)
5.4.2 (2021-10-14)
Fix segfault when initializing CBORTag with incorrect arguments (Sekenre)
Fix sphinx build warnings (Sekenre)
5.4.1 (2021-07-23)
Fix SystemErrors when using C-backend, meaningful exceptions now raised (Sekenre)
Fix precision loss when decoding base10 decimal fractions (Sekenre)
Made CBORTag handling consistent between python and C-module (Sekenre)
5.4.0 (2021-06-04)
Fix various bounds checks in the C-backend (Sekenre)
More testing of invalid/corrupted data (Sekenre)
Support for String References (xurtis)
Update Docs to refer to new RFC8949
5.3.0 (2021-05-18)
Removed support for Python < 3.6
5.2.0 (2020-09-30)
Final version tested with Python 2.7 and 3.5
README: Announce deprecation of Python 2.7, 3.5
README: More detail and examples
Bugfix: Fix segfault on loading huge arrays with C-backend (Sekenre)
Build system: Allow packagers to force C-backend building or disable using env var (jameshilliard)
Feature:
cbor2.toolCommand line diagnostic tool (Sekenre)Feature: Ignore semantic tag used for file magic 55799 AKA “Self-Described CBOR” (kalcutter)
5.1.2 (2020-07-21)
Bugfix: Refcount bug in C lib causing intermittent segfaults on shutdown (tdryer)
5.1.1 (2020-07-03)
Build system: Making C lib optional if it fails to compile (chiefnoah)
Build system: Better Glibc version detection (Sekenre and JayH5)
Tests: Positive and negative bignums (kalcutter)
Bugfix: Fractional seconds parsing in datetimes (kalcutter)
5.1.0 (2020-03-18)
Minor API change:
CBORSimpleValueis now a subclass of namedtuple and allows all numeric comparisons. This brings functional parity between C and Python modules.Fixes for C-module on big-endian systems including floating point decoding, smallint encoding, and boolean argument handling. Tested on s390x and MIPS32.
Increase version requred of setuptools during install due to unicode errors.
5.0.1 (2020-01-21)
Fix deprecation warning on python 3.7, 3.8 (mariano54)
Minor documentation tweaks
5.0.0 (2020-01-20)
BACKWARD INCOMPATIBLE CBOR does not have a bare DATE type, encoding dates as datetimes is disabled by default (PR by Changaco)
BACKWARD INCOMPATIBLE
CBORDecoder.set_shareable()only takes the instance to share, not the shareable’s indexBACKWARD INCOMPATIBLE
CBORErrornow descends fromExceptionrather thanValueError; however, subordinate exceptions now descend fromValueError(where appropriate) so most users should notice no differenceBACKWARD INCOMPATIBLE
CBORDecodercan now raiseCBORDecodeEOFwhich inherits fromEOFErrorsupporting streaming applicationsOptional Pure C implementation by waveform80 that functions identically to the pure Python implementation with further contributions from: toravir, jonashoechst, Changaco
Drop Python 3.3 and 3.4 support from the build process; they should still work if built from source but are no longer officially supported
Added support for encoding and decoding
ipaddress.IPv4Address,ipaddress.IPv6Address,ipaddress.IPv4Network, andipaddress.IPv6Network(semantic tags 260 and 261)
4.2.0 (2020-01-10)
BROKEN BUILD Removed
4.1.2 (2018-12-10)
Fixed bigint encoding taking quadratic time
Fixed overflow errors when encoding floating point numbers in canonical mode
Improved decoder performance for dictionaries
Minor documentation tweaks
4.1.1 (2018-10-14)
Fixed encoding of negative
decimal.Decimalinstances (PR by Sekenre)
4.1.0 (2018-05-27)
Added canonical encoding (via
canonical=True) (PR by Sekenre)Added support for encoding/decoding sets (semantic tag 258) (PR by Sekenre)
Added support for encoding
FrozenDict(hashable dict) as map keys or set elements (PR by Sekenre)
4.0.1 (2017-08-21)
Fixed silent truncation of decoded data if there are not enough bytes in the stream for an exact read (
CBORDecodeErroris now raised instead)
4.0.0 (2017-04-24)
BACKWARD INCOMPATIBLE Value sharing has been disabled by default, for better compatibility with other implementations and better performance (since it is rarely needed)
BACKWARD INCOMPATIBLE Replaced the
semantic_decodersdecoder option with theCBORDecoder.tag_hookoptionBACKWARD INCOMPATIBLE Replaced the
encodersencoder option with theCBOREncoder.defaultoptionBACKWARD INCOMPATIBLE Factored out the file object argument (
fp) from all callbacksBACKWARD INCOMPATIBLE The encoder no longer supports every imaginable type implementing the
SequenceorMapinterface, as they turned out to be too broadAdded the
CBORDecoder.object_hookoption for decoding dicts into complex objects (intended for situations where JSON compatibility is required and semantic tags cannot be used)Added encoding and decoding of simple values (
CBORSimpleValue) (contributed by Jerry Lundström)Replaced the decoder for bignums with a simpler and faster version (contributed by orent)
Made all relevant classes and functions available directly in the
cbor2namespaceAdded proper documentation
3.0.4 (2016-09-24)
Fixed TypeError when trying to encode extension types (regression introduced in 3.0.3)
3.0.3 (2016-09-23)
No changes, just re-releasing due to git tagging screw-up
3.0.2 (2016-09-23)
Fixed decoding failure for datetimes with microseconds (tag 0)
3.0.1 (2016-08-08)
Fixed error in the cyclic structure detection code that could mistake one container for another, sometimes causing a bogus error about cyclic data structures where there was none
3.0.0 (2016-07-03)
BACKWARD INCOMPATIBLE Encoder callbacks now receive three arguments: the encoder instance, the value to encode and a file-like object. The callback must must now either write directly to the file-like object or call another encoder callback instead of returning an iterable.
BACKWARD INCOMPATIBLE Semantic decoder callbacks now receive four arguments: the decoder instance, the primitive value, a file-like object and the shareable index for the decoded value. Decoders that support value sharing must now set the raw value at the given index in
decoder.shareables.BACKWARD INCOMPATIBLE Removed support for iterative encoding (
CBOREncoder.encode()is no longer a generator function and always returnsNone)Significantly improved performance (encoder ~30 % faster, decoder ~60 % faster)
Fixed serialization round-trip for
undefined(simple type 23)Added proper support for value sharing in callbacks
2.0.0 (2016-06-11)
BACKWARD INCOMPATIBLE Deserialize unknown tags as
CBORTagobjects so as not to lose informationFixed error messages coming from nested structures
1.1.0 (2016-06-10)
Fixed deserialization of cyclic structures
1.0.0 (2016-06-08)
Initial release