python-security
Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.
71 articles
CVE-2023-25577: Denial of service in Werkzeug multipart p...
CVE-2023-25577 lets attackers trigger denial of service in Werkzeug's multipart parser via crafted uploads. Here's the impact, timeline, and fix.
CVE-2020-10108: Cross-protocol scripting in Twisted
CVE-2020-10108 lets a malicious server abuse Twisted's redirect handling for cross-protocol scripting. Affected versions, risk context, and fixes inside.
CVE-2020-10109: Denial of service in Twisted via 100-cont...
CVE-2020-10109 lets attackers hang Twisted's HTTP server with malformed 100-continue requests, exhausting resources until it stops responding.
CVE-2021-43818: XSS bypass in lxml Cleaner
CVE-2021-43818 shows how crafted SVG markup could slip past lxml's Cleaner sanitizer and execute script in supposedly 'cleaned' HTML output.
CVE-2020-27783: Cross-site scripting bypass in lxml html ...
CVE-2020-27783 lets attackers bypass lxml's html.clean.Cleaner sanitizer to smuggle XSS past HTML cleaning. Here's what's affected and how to remediate it.
CVE-2018-7750: Authentication bypass in paramiko SSH serv...
CVE-2018-7750 lets attackers bypass authentication on Paramiko SSH servers using interactive auth by forging a success message. Impact, timeline, and fixes inside.
Encryption and Decryption in Python: A Practical Guide
Encryption in Python is easy to get working and surprisingly easy to get wrong — here's how to do symmetric and asymmetric encryption correctly using the cryptography library instead of rolling your own.
Dependency Confusion Attacks Five Years Later: Are Enterp...
Five years after Alex Birsan's $130K dependency confusion disclosure, real attacks like PyTorch's torchtriton incident show the flaw is still live. Here's what's actually fixed.
PyPI Account Recovery: A Security Model Review
Account recovery is where most identity systems leak security, and PyPI is no exception. A close look at how recovery works today, where the edges are, and what enterprise publishers should plan around.
Deserialization Attacks in Java and Python
Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and Python, the gadget chain concept, and practical defenses for both ecosystems.
PyPI Mandatory 2FA for Critical Packages: A Turning Point for Python Security
PyPI's decision to require two-factor authentication for critical package maintainers marks a significant step toward securing the Python supply chain.