Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/cryptography@42.0.1
purl pkg:pypi/cryptography@42.0.1
Next non-vulnerable version 46.0.5
Latest non-vulnerable version 46.0.7
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-f44c-ygbw-bufn
Aliases:
CVE-2026-26007
GHSA-r6ph-v2qm-q3c2
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves ## Vulnerability Summary The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine
46.0.5
Affected by 0 other vulnerabilities.
VCID-g772-pn9e-7ufv
Aliases:
CVE-2024-26130
GHSA-6vqw-3v5j-54x4
PYSEC-2024-225
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
42.0.4
Affected by 3 other vulnerabilities.
VCID-gqj1-zam7-c3bv
Aliases:
CVE-2024-12797
GHSA-79v4-65xg-pq4g
Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
44.0.1
Affected by 1 other vulnerability.
VCID-hpev-apm4-sqfw
Aliases:
CVE-2024-0727
GHSA-9v9h-cgj8-h64p
Null pointer dereference in PKCS12 parsing Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
42.0.2
Affected by 4 other vulnerabilities.
VCID-p5vx-kq3j-b3ds
Aliases:
GHSA-h4gh-qq45-vh27
pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20240903.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
43.0.1
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-12T01:41:28.062287+00:00 GitLab Importer Affected by VCID-f44c-ygbw-bufn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2026-26007.yml 38.3.0
2026-04-12T00:39:53.392949+00:00 GitLab Importer Affected by VCID-gqj1-zam7-c3bv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-12797.yml 38.3.0
2026-04-12T00:25:25.359534+00:00 GitLab Importer Affected by VCID-p5vx-kq3j-b3ds https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/GHSA-h4gh-qq45-vh27.yml 38.3.0
2026-04-12T00:10:42.048899+00:00 GitLab Importer Affected by VCID-g772-pn9e-7ufv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-26130.yml 38.3.0
2026-04-12T00:08:40.801148+00:00 GitLab Importer Affected by VCID-hpev-apm4-sqfw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-0727.yml 38.3.0
2026-04-03T01:50:22.429406+00:00 GitLab Importer Affected by VCID-f44c-ygbw-bufn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2026-26007.yml 38.1.0
2026-04-03T00:47:49.159943+00:00 GitLab Importer Affected by VCID-gqj1-zam7-c3bv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-12797.yml 38.1.0
2026-04-03T00:33:02.798106+00:00 GitLab Importer Affected by VCID-p5vx-kq3j-b3ds https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/GHSA-h4gh-qq45-vh27.yml 38.1.0
2026-04-03T00:16:18.778678+00:00 GitLab Importer Affected by VCID-g772-pn9e-7ufv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-26130.yml 38.1.0
2026-04-03T00:13:19.027416+00:00 GitLab Importer Affected by VCID-hpev-apm4-sqfw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/cryptography/CVE-2024-0727.yml 38.1.0
2026-04-01T15:16:02.514207+00:00 PyPI Importer Affected by VCID-g772-pn9e-7ufv https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.0.0
2026-04-01T12:49:22.601726+00:00 Pypa Importer Affected by VCID-g772-pn9e-7ufv https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2024-225.yaml 38.0.0