Upped the max_depth value to 400

agronholm · agronholm · commit a7ac10d5cbb7 · 2026-03-21T23:48:20.000+02:00
diff --git a/cbor2/_decoder.py b/cbor2/_decoder.py
@@ -74,7 +74,7 @@ def __init__(
         str_errors: Literal["strict", "error", "replace"] = "strict",
         read_size: int = 1,
         *,
-        max_depth: int = 100,
+        max_depth: int = 400,
     ):
         """
         :param fp:
@@ -832,7 +832,7 @@ def loads(
     str_errors: Literal["strict", "error", "replace"] = "strict",
     read_size: int = 1,
     *,
-    max_depth: int = 100,
+    max_depth: int = 400,
 ) -> Any:
     """
     Deserialize an object from a bytestring.
@@ -881,7 +881,7 @@ def load(
     str_errors: Literal["strict", "error", "replace"] = "strict",
     read_size: int = 1,
     *,
-    max_depth: int = 100,
+    max_depth: int = 400,
 ) -> Any:
     """
     Deserialize an object from an open file.
diff --git a/docs/versionhistory.rst b/docs/versionhistory.rst
@@ -8,7 +8,7 @@ This library adheres to `Semantic Versioning 2.0 <http://semver.org/>`_.
 **UNRELEASED**
 
 - Added the ``max_depth`` decoder parameter to limit the maximum allowed nesting level of
-  containers, with a default value of 100 levels (CVE-2026-26209)
+  containers, with a default value of 400 levels (CVE-2026-26209)
 - Changed the default ``read_size`` from 4096 to 1 for backwards compatibility.
   The buffered reads introduced in 5.8.0 could cause issues when code needs to
   access the stream position after decoding. Users can opt-in to faster decoding
diff --git a/source/decoder.h b/source/decoder.h
@@ -6,7 +6,7 @@
 // Default readahead buffer size for streaming reads.
 // Set to 1 for backwards compatibility (no buffering).
 #define CBOR2_DEFAULT_READ_SIZE 1
-#define CBOR2_DEFAULT_MAX_DEPTH 100
+#define CBOR2_DEFAULT_MAX_DEPTH 400
 
 // Forward declaration for function pointer typedef
 struct CBORDecoderObject_;
diff --git a/tests/test_decoder.py b/tests/test_decoder.py
@@ -142,9 +142,9 @@ class TestMaximumDepth:
     def test_default(self, impl) -> None:
         with pytest.raises(
             impl.CBORDecodeError,
-            match="maximum container nesting depth \\(100\\) exceeded",
+            match="maximum container nesting depth \\(400\\) exceeded",
         ):
-            impl.loads(b"\x81" * 101 + b"\x80")
+            impl.loads(b"\x81" * 401 + b"\x80")
 
     def test_explicit(self, impl) -> None:
         with pytest.raises(
