CPython vulnerabilities are now published to the Open Source Vulnerability Database

Published 2023-09-19 by Seth Larson
Reading time: 3 minutes

This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Security advisories for Python are now published to the OSV Vulnerability Database! 🎉🥳 This means you can use the OSV API to access machine-parseable information about security vulnerabilities affecting Python.

The vulnerability information is ingested from the Python Software Foundation's Advisory Database on GitHub which was primarily sourced from Victor Stinner's python-security project. This database is open to contributions, so if you see anything missing or incorrect we welcome pull requests. This is a huge step forward in automaticity and discoverability of vulnerability information for Python itself which previously would have required custom tooling.

Thanks to Oliver Chang and Andrew Pollock for setting up the ingestion into the database and helping resolve issues.

To get complete information about a single vulnerability by its ID you can query the API directly:

$ curl "https://api.osv.dev/v1/vulns/PSF-2023-8" | jq

  "id": "PSF-2023-8",
  "summary": "Bypass TLS handshake on closed sockets",
  "details": "Instances of `ssl.SSLSocket` are vulnerable to a bypass ...",
  "aliases": [
  "modified": "2023-09-18T01:59:58.377178Z",
  "published": "2023-08-24T00:00:00Z",
  "references": [
  "affected": [
      "ranges": [
          "type": "GIT",
          "repo": "https://github.com/python/cpython",
          "events": [
              "introduced": "0"
              "fixed": "b4bcc06a9cfe13d96d5270809d963f8ba278f89b"

If you have a git commit hash for CPython you can query the database to see all vulnerabilities that affect that git commit. I'm hopeful that the database can be improved to add support for git tags in order to support querying by Python version.

$ curl -s -d '{"commit": "7f777ed95a19224294949e1b4ce56bbffcb1fe9f"}' \
  https://api.osv.dev/v1/query | jq ".vulns[].id" | sort


Currently the OSV database only allows you to query by package version which isn't available for projects like "upstream" Python since they are distributed outside of a packaging ecosystem (ie via https://python.org/downloads). Re-distributions of Python in packaging ecosystems like Debian have their own set of advisories which are also available on OSV. You can look at DLA-3477-1 for an example of what such an advisory looks like for a redistribution of Python.

If you're interested in OSV you can check out Andrew Pollock's excellent talk and slides about OSV at OpenSSF Day Europe 2023.

OpenSSF Day Europe 2023

Woke up early in the morning to catch the livestream of OpenSSF Day Europe 2023. The slides for my presentation have been uploaded to the event page and I expect the recordings will be made available on the OpenSSF YouTube Channel at a later date. Massive thank-you to my co-presenter Cheuk-Ting Ho for presenting live and in-person about why the investments into Python security are important and what individual users can do to do their part.

I also got to listen to William Woodruff's talk on Trusted Publishing on PyPI and things to be aware of for other ecosystems looking to implement a similar scheme.

GitHub Security Advisories for the PSRT

Moving forward with more improvements to the Python Security Response Team (PSRT) process, I began to create a simple GitHub app that allows configuring a default GitHub team to be added to every new draft GitHub Security Advisory (GHSA) that's submitted to a GitHub repository.

I've made a feature request for this functionality to be native to GHSA, please upvote this request if it seems useful to other projects.

The reason this GitHub App is needed is that by default, GitHub Security Advisories only populate admins of the GitHub repository as collaborators. The PSRT is made up of many individuals, a team that is much larger than what we'd want for GitHub administrators, and so being able to add a separate team as collaborators adds less risk.

Unfortunately I have been unable to get a repository_advisory:reported event to be sent to the GitHub app, despite many attempts to configure the permissions and settings. The APIs are so new and the amount of configurations I tried was so exhaustive that I filed a potential bug about this issue.

Other items

That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.

Don't let social media algorithms decide what you want to see.

Get notified of new publications by subscribing to the RSS feed or the email newsletter:

This work is licensed under CC BY-SA 4.0