Skip to content

Commit dda2525

Browse files
sethmlarsonhugovk
andauthored
Apply suggestions from code review
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
1 parent 1d9c651 commit dda2525

1 file changed

Lines changed: 2 additions & 3 deletions

File tree

  • content/posts/mitigated-api-bypass-for-download-metadata-python-dot-org

content/posts/mitigated-api-bypass-for-download-metadata-python-dot-org/index.md

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
---
22
title: Mitigated API authentication bypass for python.org download metadata
33
publishDate: '2026-06-23'
4-
updatedDate: '2026-06-23'
54
author: Seth Larson
65
description: 'Vulnerability mitigated in python.org with follow-up third-party audit from Trail of Bits'
76
tags:
@@ -17,9 +16,9 @@ If exploited, this would have allowed an attacker to modify Python release and f
1716

1817
## Details
1918

20-
PSRT confirmed the vulnerability on a local instance of python.org. [Seth Larson](https://github.com/sethmlarson) and [Hugo van Kemenade](https://github.com/hugovk) developed and deployed [the patch](https://github.com/python/pythondotorg/pull/2946) to production with help from [Jacob Coffee](https://github.com/jacobcoffee). Less than 48 hours after the initial report the PSRT and the reporter confirmed that the proof-of-concept provided by the reporter no longer worked locally or on the production deployment.
19+
PSRT confirmed the vulnerability on a local instance of python.org. [Seth Larson](https://github.com/sethmlarson) and [Hugo van Kemenade](https://hugovk.dev/) developed and deployed [the patch](https://github.com/python/pythondotorg/pull/2946) to production with help from [Jacob Coffee](https://github.com/jacobcoffee). Less than 48 hours after the initial report the PSRT and the reporter confirmed that the proof-of-concept provided by the reporter no longer worked locally or on the production deployment.
2120

22-
This vulnerability was likely never exploited, however due to the age of the vulnerability ([existing in the codebase since 2014](https://github.com/python/pythondotorg/commit/0be429f0213cc735084a81d9b5d2dcf56467849b#diff-79d93d354534ebbcabe21fac3845315a8efe1fa0350576810962b3cc50fa3f5cR5-R14)) we don’t have absolute certainty beyond our logs and database backups. We believe attempts to exploit this vulnerability would have been “loud” and discovered quickly given the number of downstream tools and distributions automatically verifying the Sigstore and PGP materials.
21+
This vulnerability was likely never exploited, however due to the age of the vulnerability ([existing in the codebase since 2014](https://github.com/python/pythondotorg/commit/0be429f0213cc735084a81d9b5d2dcf56467849b#diff-79d93d354534ebbcabe21fac3845315a8efe1fa0350576810962b3cc50fa3f5cR12-R14)) we don’t have absolute certainty beyond our logs and database backups. We believe attempts to exploit this vulnerability would have been “loud” and discovered quickly given the number of downstream tools and distributions automatically verifying the Sigstore and PGP materials.
2322

2423
We confirmed that all artifacts on python.org had not been modified by verifying Sigstore and PGP materials. Our own workflow verifying all Sigstore signatures did not signal any changes to artifacts from years prior. While verifying PGP materials we were able to verify all signatures where keys are still readily accessible from Python 2.5 to 3.13. Note that Python 3.14 and onwards [no longer provide PGP materials](https://peps.python.org/pep-0761/), so these were verified with Sigstore.
2524

0 commit comments

Comments
 (0)