anyio is vulnerable to Improper Certificate Validation
93
Critical Risk
TLSStream.wrap() in anyio resolves internationalized hostnames using IDNA 2003 instead of IDNA 2008. Because the two standards map some Unicode labels to different ASCII encodings, the hostname passed to wrap_bio for certificate validation can differ from the hostname the caller intended. A TLS certificate issued for the IDNA 2008 encoding of a hostname can therefore fail validation against an IDNA 2003-encoded peer, and conversely a certificate for a different host under the IDNA 2003 mapping may be accepted as valid. The fix introduces idna2008_resolve() and uses the corrected server_hostname in wrap_bio.
You are affected if you are using a version that falls within the vulnerable range and your application uses TLSStream.wrap() with internationalized (non-ASCII) hostnames.
anyio is vulnerable to Improper Certificate Validation in versions 0.0.1 - 4.14.1.
Upgrade the anyio library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant