GHSA-425G-FJHQ-5H92

Vulnerability from github – Published: 2026-03-31 23:43 – Updated: 2026-03-31 23:43
VLAI
Summary
openssl-encrypt silently skips schema validation when jsonschema library is not installed
Details

Summary

In openssl_encrypt/modules/json_validator.py at lines 234-238, when the jsonschema library is not installed, all schema validation is silently skipped with only a print warning.

Affected Code

if not JSONSCHEMA_AVAILABLE:
    print(f"Warning: Cannot validate against schema '{schema_name}' - jsonschema library not available")
    return

Additionally, unknown metadata format versions (line 288-293) bypass schema validation entirely, and all schemas use additionalProperties: true allowing arbitrary extra fields.

Impact

An attacker who can influence the Python environment (remove the jsonschema package) or craft metadata with an unknown version number can bypass all schema checks. Malformed or malicious metadata will be accepted without validation.

Recommended Fix

  • Make jsonschema a required dependency, not optional
  • Or fail-closed: refuse to process metadata when validation cannot be performed
  • Reject unknown format versions instead of silently skipping validation
  • Consider using additionalProperties: false in schemas

Fix

Fixed in commit 6e7f938 on branch releases/1.4.x — validate_against_schema() now raises JSONValidationError when jsonschema is unavailable instead of silently passing; changed print() warning to logging.warning().

Severity
6.6 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openssl-encrypt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:43:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIn `openssl_encrypt/modules/json_validator.py` at **lines 234-238**, when the `jsonschema` library is not installed, all schema validation is silently skipped with only a print warning.\n\n### Affected Code\n\n```python\nif not JSONSCHEMA_AVAILABLE:\n    print(f\"Warning: Cannot validate against schema \u0027{schema_name}\u0027 - jsonschema library not available\")\n    return\n```\n\nAdditionally, unknown metadata format versions (line 288-293) bypass schema validation entirely, and all schemas use `additionalProperties: true` allowing arbitrary extra fields.\n\n### Impact\n\nAn attacker who can influence the Python environment (remove the jsonschema package) or craft metadata with an unknown version number can bypass all schema checks. Malformed or malicious metadata will be accepted without validation.\n\n### Recommended Fix\n\n- Make `jsonschema` a required dependency, not optional\n- Or fail-closed: refuse to process metadata when validation cannot be performed\n- Reject unknown format versions instead of silently skipping validation\n- Consider using `additionalProperties: false` in schemas\n\n### Fix\n\nFixed in commit `6e7f938` on branch `releases/1.4.x` \u2014 validate_against_schema() now raises JSONValidationError when jsonschema is unavailable instead of silently passing; changed print() warning to logging.warning().",
  "id": "GHSA-425g-fjhq-5h92",
  "modified": "2026-03-31T23:43:33Z",
  "published": "2026-03-31T23:43:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-425g-fjhq-5h92"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jahlives/openssl_encrypt/commit/6e7f938dcb7928faf5fd12bb5559f6dae2944124"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jahlives/openssl_encrypt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "openssl-encrypt silently skips schema validation when jsonschema library is not installed"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.