search

vimalloc / flask-jwt-extended

An open source Flask extension that provides JWT support (with batteries included)!
http://flask-jwt-extended.readthedocs.io/en/stable/
MIT License
1.56k stars 239 forks source link

Minimum cryptography version is vulnerable to CVE #539

Open jtait opened 10 months ago

jtait commented 10 months ago

I see in #535 there is a bump to cryptography up to version 41.0.6. This bump only applies to requirements.txt and not setup.py, so the version of flask-jwt-extended installed from PyPI doesn't enforce the minimum version. This allows an installation to use a vulnerable version of Cryptography with this library.

I didn't open a pull request because I'm not sure if you want to force users to upgrade. The current setup doesn't prevent users from upgrading but in my own case I updated flask-jwt-extended using Poetry in my project and a new version of cryptography wasn't installed automatically.

Is this something you want addressed? If not it might be worth adding a note to the docs warning against the vulnerable dependency.

vimalloc commented 10 months ago

This was the original reason why it is setup the way it is: https://github.com/vimalloc/flask-jwt-extended/issues/467#issue-1143611571

I'm honestly not sure what best practices would dictate here. I'll think on this, and welcome any input that you or others may have!