Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-n33y-a6pm-6ug3
Vulnerability ID VCID-n33y-a6pm-6ug3
Aliases GHSA-425g-fjhq-5h92
Summary openssl-encrypt silently skips schema validation when jsonschema library is not installed ### Summary In `openssl_encrypt/modules/json_validator.py` at **lines 234-238**, when the `jsonschema` library is not installed, all schema validation is silently skipped with only a print warning. ### Affected Code ```python if not JSONSCHEMA_AVAILABLE: print(f"Warning: Cannot validate against schema '{schema_name}' - jsonschema library not available") return ``` Additionally, unknown metadata format versions (line 288-293) bypass schema validation entirely, and all schemas use `additionalProperties: true` allowing arbitrary extra fields. ### Impact An attacker who can influence the Python environment (remove the jsonschema package) or craft metadata with an unknown version number can bypass all schema checks. Malformed or malicious metadata will be accepted without validation. ### Recommended Fix - Make `jsonschema` a required dependency, not optional - Or fail-closed: refuse to process metadata when validation cannot be performed - Reject unknown format versions instead of silently skipping validation - Consider using `additionalProperties: false` in schemas ### Fix Fixed in commit `6e7f938` on branch `releases/1.4.x` — validate_against_schema() now raises JSONValidationError when jsonschema is unavailable instead of silently passing; changed print() warning to logging.warning().
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-425g-fjhq-5h92
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/commit/6e7f938dcb7928faf5fd12bb5559f6dae2944124
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/commit/6e7f938dcb7928faf5fd12bb5559f6dae2944124
cvssv3.1_qr MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-425g-fjhq-5h92
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-425g-fjhq-5h92
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-425g-fjhq-5h92
Reference id Reference type URL
https://github.com/jahlives/openssl_encrypt
https://github.com/jahlives/openssl_encrypt/commit/6e7f938dcb7928faf5fd12bb5559f6dae2944124
https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-425g-fjhq-5h92
GHSA-425g-fjhq-5h92 https://github.com/advisories/GHSA-425g-fjhq-5h92
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/commit/6e7f938dcb7928faf5fd12bb5559f6dae2944124
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-425g-fjhq-5h92
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:49:04.689868+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-425g-fjhq-5h92/GHSA-425g-fjhq-5h92.json 38.6.0