Safeguard
Tag

python-security

Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.

71 articles

Vulnerability Analysis

CVE-2023-25577: Denial of service in Werkzeug multipart p...

CVE-2023-25577 lets attackers trigger denial of service in Werkzeug's multipart parser via crafted uploads. Here's the impact, timeline, and fix.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2020-10108: Cross-protocol scripting in Twisted

CVE-2020-10108 lets a malicious server abuse Twisted's redirect handling for cross-protocol scripting. Affected versions, risk context, and fixes inside.

Oct 3, 20258 min read
Vulnerability Analysis

CVE-2020-10109: Denial of service in Twisted via 100-cont...

CVE-2020-10109 lets attackers hang Twisted's HTTP server with malformed 100-continue requests, exhausting resources until it stops responding.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2021-43818: XSS bypass in lxml Cleaner

CVE-2021-43818 shows how crafted SVG markup could slip past lxml's Cleaner sanitizer and execute script in supposedly 'cleaned' HTML output.

Oct 2, 20258 min read
Vulnerability Analysis

CVE-2020-27783: Cross-site scripting bypass in lxml html ...

CVE-2020-27783 lets attackers bypass lxml's html.clean.Cleaner sanitizer to smuggle XSS past HTML cleaning. Here's what's affected and how to remediate it.

Oct 2, 20257 min read
Vulnerability Analysis

CVE-2018-7750: Authentication bypass in paramiko SSH serv...

CVE-2018-7750 lets attackers bypass authentication on Paramiko SSH servers using interactive auth by forging a success message. Impact, timeline, and fixes inside.

Oct 2, 20258 min read
AppSec

Encryption and Decryption in Python: A Practical Guide

Encryption in Python is easy to get working and surprisingly easy to get wrong — here's how to do symmetric and asymmetric encryption correctly using the cryptography library instead of rolling your own.

Sep 16, 20256 min read
Open Source Security

Dependency Confusion Attacks Five Years Later: Are Enterp...

Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.

Aug 2, 20256 min read
Open Source Security

PyPI Account Recovery: A Security Model Review

Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.

Mar 14, 20246 min read
Application Security

Deserialization Attacks in Java and Python

Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and Python, the gadget chain concept, and practical defenses for both ecosystems.

Dec 5, 20236 min read
Open Source Security

PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security

PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.

Feb 10, 20236 min read
python-security (Page 6) — Safeguard Blog