Platform
python
Component
pyrage
Fixed in
1.2.1
1.2.3
CVE-2024-56327 affects versions of pyrage up to 1.2.2. This vulnerability stems from pyrage's reliance on the Rust age crate, which contains a critical flaw (GHSA-4fg7-vxc8-qx5w). Exploitation could lead to information disclosure and potential manipulation of data. A fix is available in version 1.2.3.
The underlying vulnerability in the age crate allows for potential information disclosure and manipulation of encrypted data. Because pyrage leverages this crate, any application using vulnerable versions of pyrage is at risk. Attackers could potentially decrypt sensitive information or tamper with data integrity. This vulnerability shares similarities with other cryptographic vulnerabilities where weaknesses in underlying libraries can expose applications using them. The impact is particularly severe given the potential for data compromise.
This CVE is linked to GHSA-4fg7-vxc8-qx5w, a known vulnerability in the age crate. Public proof-of-concept exploits for the underlying age vulnerability may exist or be developed. The vulnerability was published on 2024-12-19. The EPSS score is pending evaluation, but given the CRITICAL CVSS score and the nature of the vulnerability, a medium to high probability of exploitation is likely.
Exploit Status
EPSS
0.42% (62% percentile)
CVSS Vector
The primary mitigation is to upgrade pyrage to version 1.2.3 or later, which resolves the dependency on the vulnerable age crate. If upgrading is not immediately feasible, consider isolating pyrage instances to limit the blast radius of a potential compromise. While a direct workaround isn't available, reviewing and restricting access to data processed by pyrage can reduce the potential impact. After upgrading, verify the fix by attempting to reproduce the vulnerability using known attack vectors against the updated pyrage installation.
Update the pyrage library to version 1.2.3 or higher. This will fix the vulnerability that allows arbitrary binary code execution through malicious plugin names, recipients, or identities. You can update using `pip install --upgrade pyrage`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-56327 is a critical vulnerability in pyrage (versions ≤1.2.2) caused by a dependency on the vulnerable Rust age crate (GHSA-4fg7-vxc8-qx5w), potentially leading to information disclosure.
You are affected if you are using pyrage version 1.2.2 or earlier. Versions before 1.2.0 are not affected as they lack plugin support.
Upgrade pyrage to version 1.2.3 or later to resolve the vulnerability. This updates the dependency to a patched version of the age crate.
While active exploitation is not confirmed, the CRITICAL severity and the availability of potential exploits for the underlying age crate suggest a high likelihood of exploitation.
Refer to the advisory details linked in the CVE description: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.