Python/cryptography/43.0.0

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

https://pypi.org/project/cryptography
Apache-2.0 AND BSD

5 Security Vulnerabilities

Vulnerable OpenSSL included in cryptography wheels

Published date: 2026-06-15T20:12:27Z
Links:

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

If you are building cryptography source (sdist) then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Affected versions: ["48.0.0", "47.0.0", "46.0.7", "46.0.6", "46.0.5", "46.0.4", "46.0.3", "46.0.2", "46.0.1", "46.0.0", "45.0.7", "45.0.6", "45.0.5", "45.0.4", "45.0.3", "45.0.2", "45.0.1", "45.0.0", "44.0.3", "44.0.2", "44.0.1", "44.0.0", "43.0.3", "43.0.1", "43.0.0", "43.0.0.dev1", "42.0.8", "42.0.7", "42.0.6", "42.0.5", "42.0.4", "42.0.3", "42.0.2", "42.0.1", "42.0.0", "41.0.7", "41.0.6", "41.0.5", "41.0.4", "41.0.3", "41.0.2", "41.0.1", "41.0.0", "40.0.2", "40.0.1", "40.0.0", "39.0.2", "39.0.1", "39.0.0", "38.0.4", "38.0.3", "38.0.2", "38.0.1", "38.0.0", "37.0.4", "37.0.3", "37.0.2", "37.0.1", "37.0.0", "36.0.2", "36.0.1", "36.0.0", "35.0.0", "3.4.8", "3.4.7", "3.4.6", "3.4.5", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4", "3.3.2", "3.3.1", "3.3", "3.2.1", "3.2", "3.1.1", "3.1", "3.0", "2.9.2", "2.9.1", "2.9", "2.8", "2.7", "2.6.1", "2.6", "2.5", "2.4.2", "2.4.1", "2.4", "2.3.1", "2.3", "2.2.2", "2.2.1", "2.2", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1", "2.0.3", "2.0.2", "2.0.1", "2.0", "1.9", "1.8.2", "1.8.1", "1.8", "1.7.2", "1.7.1", "1.7", "1.6", "1.5.3", "1.5.2", "1.5.1", "1.5", "1.4", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3", "1.2.3", "1.2.2", "1.2.1", "1.2", "1.1.2", "1.1.1", "1.1", "1.0.2", "1.0.1", "1.0", "0.9.3", "0.9.2", "0.9.1", "0.9", "0.8.2", "0.8.1", "0.8", "0.7.2", "0.7.1", "0.7", "0.6.1", "0.6", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

Vulnerable OpenSSL included in cryptography wheels

Published date: 2025-02-11T18:06:42Z
CVE: CVE-2024-12797
Links:

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.

If you are building cryptography source (sdist) then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Affected versions: ["44.0.0", "43.0.3", "43.0.1", "43.0.0", "43.0.0.dev1", "42.0.8", "42.0.7", "42.0.6", "42.0.5", "42.0.4", "42.0.3", "42.0.2", "42.0.1", "42.0.0"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels

Published date: 2024-09-03T21:59:48Z
Links:

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20240903.txt.

If you are building cryptography source (sdist) then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Affected versions: ["43.0.0", "43.0.0.dev1", "42.0.8", "42.0.7", "42.0.6", "42.0.5", "42.0.4", "42.0.3", "42.0.2", "42.0.1", "42.0.0", "41.0.7", "41.0.6", "41.0.5", "41.0.4", "41.0.3", "41.0.2", "41.0.1", "41.0.0", "40.0.2", "40.0.1", "40.0.0", "39.0.2", "39.0.1", "39.0.0", "38.0.4", "38.0.3", "38.0.2", "38.0.1", "38.0.0", "37.0.4", "37.0.3", "37.0.2", "37.0.1", "37.0.0"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

cryptography has incomplete DNS name constraint enforcement on peer names

Published date: 2026-03-27T19:56:21Z
CVE: CVE-2026-34073
Links:

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the peer name presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @1seal

Affected versions: ["46.0.5", "46.0.4", "46.0.3", "46.0.2", "46.0.1", "46.0.0", "45.0.7", "45.0.6", "45.0.5", "45.0.4", "45.0.3", "45.0.2", "45.0.1", "45.0.0", "44.0.3", "44.0.2", "44.0.1", "44.0.0", "43.0.3", "43.0.1", "43.0.0", "43.0.0.dev1", "42.0.8", "42.0.7", "42.0.6", "42.0.5", "42.0.4", "42.0.3", "42.0.2", "42.0.1", "42.0.0", "41.0.7", "41.0.6", "41.0.5", "41.0.4", "41.0.3", "41.0.2", "41.0.1", "41.0.0", "40.0.2", "40.0.1", "40.0.0", "39.0.2", "39.0.1", "39.0.0", "38.0.4", "38.0.3", "38.0.2", "38.0.1", "38.0.0", "37.0.4", "37.0.3", "37.0.2", "37.0.1", "37.0.0", "36.0.2", "36.0.1", "36.0.0", "35.0.0", "3.4.8", "3.4.7", "3.4.6", "3.4.5", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4", "3.3.2", "3.3.1", "3.3", "3.2.1", "3.2", "3.1.1", "3.1", "3.0", "2.9.2", "2.9.1", "2.9", "2.8", "2.7", "2.6.1", "2.6", "2.5", "2.4.2", "2.4.1", "2.4", "2.3.1", "2.3", "2.2.2", "2.2.1", "2.2", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1", "2.0.3", "2.0.2", "2.0.1", "2.0", "1.9", "1.8.2", "1.8.1", "1.8", "1.7.2", "1.7.1", "1.7", "1.6", "1.5.3", "1.5.2", "1.5.1", "1.5", "1.4", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3", "1.2.3", "1.2.2", "1.2.1", "1.2", "1.1.2", "1.1.1", "1.1", "1.0.2", "1.0.1", "1.0", "0.9.3", "0.9.2", "0.9.1", "0.9", "0.8.2", "0.8.1", "0.8", "0.7.2", "0.7.1", "0.7", "0.6.1", "0.6", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5", "0.4", "0.3", "0.2.2", "0.2.1", "0.2", "0.1"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

Published date: 2026-02-10T21:27:06Z
CVE: CVE-2026-26007
Links:

Vulnerability Summary

The public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve.

This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.

Only SECT curves are impacted by this.

Credit

This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

Affected versions: ["46.0.4", "46.0.3", "46.0.2", "46.0.1", "46.0.0", "45.0.7", "45.0.6", "45.0.5", "45.0.4", "45.0.3", "45.0.2", "45.0.1", "45.0.0", "44.0.3", "44.0.2", "44.0.1", "44.0.0", "43.0.3", "43.0.1", "43.0.0", "43.0.0.dev1", "42.0.8", "42.0.7", "42.0.6", "42.0.5", "42.0.4", "42.0.3", "42.0.2", "42.0.1", "42.0.0", "41.0.7", "41.0.6", "41.0.5", "41.0.4", "41.0.3", "41.0.2", "41.0.1", "41.0.0", "40.0.2", "40.0.1", "40.0.0", "39.0.2", "39.0.1", "39.0.0", "38.0.4", "38.0.3", "38.0.2", "38.0.1", "38.0.0", "37.0.4", "37.0.3", "37.0.2", "37.0.1", "37.0.0", "36.0.2", "36.0.1", "36.0.0", "35.0.0", "3.4.8", "3.4.7", "3.4.6", "3.4.5", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4", "3.3.2", "3.3.1", "3.3", "3.2.1", "3.2", "3.1.1", "3.1", "3.0", "2.9.2", "2.9.1", "2.9", "2.8", "2.7", "2.6.1", "2.6", "2.5", "2.4.2", "2.4.1", "2.4", "2.3.1", "2.3", "2.2.2", "2.2.1", "2.2", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1", "2.0.3", "2.0.2", "2.0.1", "2.0", "1.9", "1.8.2", "1.8.1", "1.8", "1.7.2", "1.7.1", "1.7", "1.6", "1.5.3", "1.5.2", "1.5.1", "1.5", "1.4", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3", "1.2.3", "1.2.2", "1.2.1", "1.2", "1.1.2", "1.1.1", "1.1", "1.0.2", "1.0.1", "1.0", "0.9.3", "0.9.2", "0.9.1", "0.9", "0.8.2", "0.8.1", "0.8", "0.7.2", "0.7.1", "0.7", "0.6.1", "0.6", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5", "0.4", "0.3", "0.2.2", "0.2.1", "0.2", "0.1"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

158 Other Versions

Version License Security Released
2.1.2 Apache-2.0 AND BSD 11 2017-10-24 - 15:50 over 8 years
2.1.1 Apache-2.0 AND BSD 11 2017-10-12 - 05:35 over 8 years
2.1 Apache-2.0 AND BSD 11 2017-10-11 - 12:56 over 8 years
2.0.3 Apache-2.0 AND BSD 11 2017-08-03 - 22:03 almost 9 years
2.0.2 Apache-2.0 AND BSD 11 2017-07-27 - 03:28 almost 9 years
2.0.1 Apache-2.0 AND BSD 11 2017-07-26 - 20:23 almost 9 years
2.0 Apache-2.0 AND BSD 11 2017-07-17 - 15:44 almost 9 years
1.9 Apache-2.0 AND BSD 11 2017-05-30 - 02:33 about 9 years
1.8.2 Apache-2.0 AND BSD 10 2017-05-26 - 06:42 about 9 years
1.8.1 Apache-2.0 AND BSD 10 2017-03-10 - 04:05 over 9 years
1.8 Apache-2.0 AND BSD 10 2017-03-10 - 03:05 over 9 years
1.7.2 Apache-2.0 AND BSD 9 2017-02-12 - 15:23 over 9 years
1.7.1 Apache-2.0 AND BSD 9 2016-12-13 - 23:01 over 9 years
1.7 Apache-2.0 AND BSD 9 2016-12-12 - 18:31 over 9 years
1.6 Apache-2.0 AND BSD 9 2016-11-22 - 03:29 over 9 years
1.5.3 Apache-2.0 AND BSD 9 2016-11-06 - 04:18 over 9 years
1.5.2 Apache-2.0 AND BSD 10 2016-09-26 - 20:29 over 9 years
1.5.1 Apache-2.0 AND BSD 10 2016-09-22 - 20:15 over 9 years
1.5 Apache-2.0 AND BSD 10 2016-08-26 - 15:51 almost 10 years
1.4 Apache-2.0 AND BSD 10 2016-06-04 - 17:15 about 10 years
1.3.4 Apache-2.0 AND BSD 10 2016-06-03 - 03:17 about 10 years
1.3.3 Apache-2.0 AND BSD 10 2016-06-02 - 21:50 about 10 years
1.3.2 Apache-2.0 AND BSD 10 2016-05-04 - 16:19 about 10 years
1.3.1 Apache-2.0 AND BSD 10 2016-03-21 - 21:57 about 10 years
1.3 Apache-2.0 AND BSD 10 2016-03-18 - 13:20 over 10 years
1.2.3 Apache-2.0 AND BSD 10 2016-03-02 - 02:15 over 10 years
1.2.2 Apache-2.0 AND BSD 10 2016-01-29 - 19:31 over 10 years
1.2.1 Apache-2.0 AND BSD 10 2016-01-08 - 21:33 over 10 years
1.2 Apache-2.0 AND BSD 10 2016-01-08 - 15:44 over 10 years
1.1.2 Apache-2.0 AND BSD 10 2015-12-10 - 19:59 over 10 years
1.1.1 Apache-2.0 AND BSD 10 2015-11-19 - 04:06 over 10 years
1.1 Apache-2.0 AND BSD 10 2015-10-28 - 22:43 over 10 years
1.0.2 Apache-2.0 AND BSD 10 2015-09-27 - 13:55 over 10 years
1.0.1 Apache-2.0 AND BSD 10 2015-09-06 - 01:57 almost 11 years
1.0 Apache-2.0 AND BSD 10 2015-08-12 - 13:40 almost 11 years
0.9.3 Apache-2.0 AND BSD 10 2015-07-09 - 14:45 almost 11 years
0.9.2 Apache-2.0 AND BSD 10 2015-07-03 - 23:01 almost 11 years
0.9.1 Apache-2.0 AND BSD 10 2015-06-06 - 21:26 about 11 years
0.9 Apache-2.0 AND BSD 10 2015-05-14 - 01:42 about 11 years
0.8.2 Apache-2.0 AND BSD 10 2015-04-11 - 02:01 about 11 years
0.8.1 Apache-2.0 AND BSD 10 2015-03-20 - 15:35 over 11 years
0.8 Apache-2.0 AND BSD 9 2015-03-09 - 04:53 over 11 years
0.7.2 Apache-2.0 AND BSD 8 2015-01-16 - 14:19 over 11 years
0.7.1 Apache-2.0 AND BSD 8 2014-12-29 - 01:54 over 11 years
0.7 Apache-2.0 AND BSD 8 2014-12-18 - 03:34 over 11 years
0.6.1 Apache-2.0 8 2014-10-16 - 04:22 over 11 years
0.6 Apache-2.0 8 2014-09-30 - 02:37 over 11 years
0.5.4 Apache-2.0 8 2014-08-21 - 06:12 almost 12 years
0.5.3 Apache-2.0 8 2014-08-07 - 15:33 almost 12 years
0.5.2 Apache-2.0 8 2014-07-10 - 01:32 almost 12 years