PT-2026-32072 · Pypi · Openssl-Encrypt
Published
2026-03-31
·
Updated
2026-03-31
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
Severity: HIGH
Summary
The Whirlpool hash implementation in
openssl encrypt/modules/registry/hash registry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity.Affected Code
python
for site pkg in site.getsitepackages():
pattern = os.path.join(site pkg, "whirlpool*py313*.so")
py313 modules = glob.glob(pattern)
if py313 modules:
module path = py313 modules[0] # Takes first match
loader = ExtensionFileLoader("whirlpool", module path)
spec = importlib.util.spec from file location("whirlpool", module path, loader=loader)
whirlpool module = importlib.util.module from spec(spec)
spec.loader.exec module(whirlpool module)Impact
The glob pattern
"whirlpool*py313*.so" is broad and takes the first match without verifying:- File hash/signature
- File ownership/permissions
- Whether it's a legitimate module
If an attacker can place a malicious
.so file matching this pattern in any site-packages directory, it will be loaded and native code executed.Recommended Fix
- Verify the module's integrity (hash or signature) before loading
- Use a specific filename rather than a glob pattern
- Check file permissions and ownership
Fix
Fixed in commit
963d0d1 on branch releases/1.4.x — added os.path.realpath() to resolve symlinks and validation that found .so files are within known site-packages directories before loading.Fix
Uncontrolled Search Path Element
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openssl-Encrypt