All cryptography CVEs — Complete Vulnerability History
The cryptography package is the foundation of Python TLS and PKI — used by requests, paramiko, pyOpenSSL, and hundreds of other packages. CVEs here are always serious because of the sensitive nature of cryptographic operations.
PyPI
100M+ weekly downloads
5 CVEs total
2 CRITICAL
🔴 CISA KEV
CVE history — all 5 known vulnerabilities
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-25659 | 2020 | MEDIUM | Bleichenbacher timing oracle in RSA decryption | Fixed in 3.2.1 |
| CVE-2021-3712 | 2021 | HIGH | Buffer over-read in ASN.1 string handling (via OpenSSL) | Fixed in 3.3.2 |
| CVE-2023-0286 | 2023 | 🔴CRITICAL | X.400 type confusion in OpenSSL — CISA KEV | Fixed in 39.0.1 |
| CVE-2023-23931 | 2023 | MEDIUM | Bleichenbacher oracle via mutable Cipher objects | Fixed in 39.0.1 |
| CVE-2023-49083 | 2023 | CRITICAL | NULL pointer dereference in PKCS12 parsing | Fixed in 41.0.6 |
Current safe version
✓ Update to 42.0.8
The latest safe version addresses all 5 known CVEs listed above.
Before and after
Vulnerable:
cryptography==36.0.0
Fixed:
cryptography==42.0.8
Then run: pip install -r requirements.txt
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why does cryptography have CVEs that reference OpenSSL?
The cryptography package wraps OpenSSL (the C library) via cffi. When OpenSSL has a CVE, the cryptography package inherits it — updating cryptography pulls in a patched OpenSSL build. This is why cryptography version updates are often described as 'updating OpenSSL bindings'.
Is CVE-2023-0286 serious for most applications?
CVE-2023-0286 (X.400 type confusion) is CRITICAL and on CISA KEV, but it specifically affects applications that process X.400 certificates from untrusted sources. Most web apps don't encounter X.400. Still upgrade immediately — the CISA KEV designation means it's being exploited.
How often should I update the cryptography package?
Every release. The cryptography team has a security-first philosophy and releases frequently. Given that this package underlies TLS for most Python applications, staying current is worth the maintenance overhead.
What happens if I don't update cryptography?
You're inheriting OpenSSL vulnerabilities. In production, this means your TLS connections may be vulnerable to attacks depending on which CVEs are unpatched. For apps handling sensitive data, this is unacceptable technical debt.