GHSA-j48q-4c78-rhf9
openssl-encrypt: Dynamic .so loading for Whirlpool uses broad glob pattern without integrity verification
Blast Radius
openssl-encryptReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Severity: HIGH
Summary
The Whirlpool hash implementation in openssl_encrypt/modules/registry/hash_registry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity.
Affected Code
for site_pkg in site.getsitepackages():
pattern = os.path.join(site_pkg, "whirlpool*py313*.so")
py313_modules = glob.glob(pattern)
if py313_modules:
module_path = py313_modules[0] # Takes first match
loader = ExtensionFileLoader("whirlpool", module_path)
spec = importlib.util.spec_from_file_location("whirlpool", module_path, loader=loader)
whirlpool_module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(whirlpool_module)
Impact
The glob pattern "whirlpool*py313*.so" is broad and takes the first match without verifying:
- File hash/signature
- File ownership/permissions
- Whether it's a legitimate module
If an attacker can place a malicious .so file matching this pattern in any site-packages directory, it will be loaded and native code executed.
Recommended Fix
- Verify the module's integrity (hash or signature) before loading
- Use a specific filename rather than a glob pattern
- Check file permissions and ownership
Fix
Fixed in commit 963d0d1 on branch releases/1.4.x — added os.path.realpath() to resolve symlinks and validation that found .so files are within known site-packages directories before loading.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | openssl-encrypt | all versions | 1.4.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openssl-encrypt. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openssl-encrypt to 1.4.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-j48q-4c78-rhf9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-j48q-4c78-rhf9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-j48q-4c78-rhf9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-j48q-4c78-rhf9 in your dependencies?
O3 detects GHSA-j48q-4c78-rhf9 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.