cryptography CVEs 2023–2024 — PyPI Security Fix Guide
The Python cryptography package wraps OpenSSL via CFFI. CVEs here often reflect upstream OpenSSL vulnerabilities. This page covers every CVE from 2023–2024 and the exact version that fixes each one.
cryptography CVEs 2023–2024
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-49083 | 2023 | HIGH | NULL pointer dereference in PKCS12 parsing | Fixed 41.0.6 |
| CVE-2024-0727 | 2024 | MEDIUM | DoS via NULL fields in X.509 certificate | Fixed 42.0.2 |
| CVE-2024-26130 | 2024 | HIGH | NULL pointer dereference in PKCS12 serialization | Fixed 42.0.4 |
| CVE-2024-2511 | 2024 | MEDIUM | Memory leak via SSL session cache | Fixed 42.0.5 |
| CVE-2024-4741 | 2024 | HIGH | Use-after-free in SSL_free_buffers | Fixed 42.0.7 |
| CVE-2024-5535 | 2024 | HIGH | Buffer over-read in SSL_select_next_proto | Fixed 42.0.8 |
Current safe version
# Before cryptography==41.0.0 # After cryptography==42.0.8 # Update pip install cryptography==42.0.8 # Or update requirements.txt and run: pip install -r requirements.txt
Why cryptography has frequent CVEs
The cryptography package wraps OpenSSL's C library via CFFI. When OpenSSL releases a security fix, the cryptography package typically releases a new version within days. Most CVEs in this package originate in OpenSSL's C code — NULL pointer dereferences, buffer overreads, memory leaks — rather than in the Python wrapper itself.
Keep cryptography updated as frequently as you update other dependencies. The safe version changes more often than most Python packages because of this upstream relationship.
Paste your manifest — get the exact safe version instantly.
Scan with PackageFix →Free · No signup · No CLI