PT-2026-32059 · Pypi · Openssl-Encrypt
Published
2026-03-31
·
Updated
2026-03-31
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
Summary
In
openssl encrypt/modules/json validator.py at lines 234-238, when the jsonschema library is not installed, all schema validation is silently skipped with only a print warning.Affected Code
python
if not JSONSCHEMA AVAILABLE:
print(f"Warning: Cannot validate against schema '{schema name}' - jsonschema library not available")
returnAdditionally, unknown metadata format versions (line 288-293) bypass schema validation entirely, and all schemas use
additionalProperties: true allowing arbitrary extra fields.Impact
An attacker who can influence the Python environment (remove the jsonschema package) or craft metadata with an unknown version number can bypass all schema checks. Malformed or malicious metadata will be accepted without validation.
Recommended Fix
- Make
jsonschemaa required dependency, not optional - Or fail-closed: refuse to process metadata when validation cannot be performed
- Reject unknown format versions instead of silently skipping validation
- Consider using
additionalProperties: falsein schemas
Fix
Fixed in commit
6e7f938 on branch releases/1.4.x — validate against schema() now raises JSONValidationError when jsonschema is unavailable instead of silently passing; changed print() warning to logging.warning().Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openssl-Encrypt