Stop using pycrypto. Use pycryptodome instead

Python Logo on Blue Background

PyCrypto Pulse on Sqreen

As we are still seeing a lot of applications depending on the Python Cryptography Toolkit (aka pycrypto) to manage their cryptography, this is a quick reminder to stop using it.

The vulnerability

Pycrypto is vulnerable to a heap-based buffer overflow in the ALGnew function in block_templace.c. It allows remote attackers to execute arbitrary code in the python application. It was assigned the CVE-2013-7459 number.

Pycrypto didn’t release any fix to that vulnerability and no commit was made to the project since Jun 20, 2014.

Pycryptodome to the rescue

Pycryptodome is a drop-in replacement for the PyCrypto library. Just ‘pip install pycryptodome’ and you’re good to go.

Update your requirements.txt now

Update your requirements.txt file now and also make sure none of your other library depends on pycrypto.

Does your application use this vulnerable package?

Test your application now!

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
0 Comment authors
Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
trackback

[…] highlighted in a previous article, stop using pycrypto for your cryptography toolkit. A vulnerability was highlighted, and since then, no security update has been […]

You May Also Like