Intel

AIKIDO-2026-889297

anyio is vulnerable to Improper Certificate Validation

Improper Certificate ValidationGHSA-82r6-8w77-94w6 Published Yesterday

93

Critical Risk

This Affects:

PYTHONanyio
0.0.1 - 4.14.1
Fixed in 4.14.2
Are you affected? Scan for Free

TL;DR

TLSStream.wrap() in anyio resolves internationalized hostnames using IDNA 2003 instead of IDNA 2008. Because the two standards map some Unicode labels to different ASCII encodings, the hostname passed to wrap_bio for certificate validation can differ from the hostname the caller intended. A TLS certificate issued for the IDNA 2008 encoding of a hostname can therefore fail validation against an IDNA 2003-encoded peer, and conversely a certificate for a different host under the IDNA 2003 mapping may be accepted as valid. The fix introduces idna2008_resolve() and uses the corrected server_hostname in wrap_bio.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses TLSStream.wrap() with internationalized (non-ASCII) hostnames.

Background info

anyio is vulnerable to Improper Certificate Validation in versions 0.0.1 - 4.14.1.

How to fix this

Upgrade the anyio library to the patch version.