django-stubs icon indicating copy to clipboard operation
django-stubs copied to clipboard

Published 20 hours ago verified publisher icon typeddjango

CVE patch for 5.1 (PVE-2025-76910)

Open agalazis opened this issue 5 months ago • 3 comments

Security vulenrability for v5.1.3

Since 4.2 still LTS and last supported by v5.1 it would be ideal to have a patch for the following cve

What's wrong

https://data.safetycli.com/vulnerabilities/PVE-2025-76910/76910/

Affected versions of django-stubs are potentially vulnerable to Security Misconfiguration. The inclusion of type stubs for deprecated and insecure password hashers (MD5PasswordHasher, SHA1PasswordHasher, and CryptPasswordHasher) may inadvertently encourage their use in Django applications. This can lead to the storage of user passwords using weak hashing algorithms, making them susceptible to brute-force attacks.

Although the algorithms might not be used for storing passwords or anything critical:

  1. Not everybody needs to dive to the internals to figure out
  2. Extra effort is needed to deal with whitelisting the vulnerability

agalazis avatar Jun 10 '25 09:06 agalazis

Maybe we can mark them as @deprecated 🤔 What other ideas do you have?

sobolevn avatar Jun 10 '25 10:06 sobolevn

The linked page goes to https://github.com/typeddjango/django-stubs/pull/2537/files , where I removed the types for the hashers which were removed in Django.

There is no code left for them, so nothing to fix, right?

adamchainz avatar Jun 10 '25 22:06 adamchainz

The linked page goes to https://github.com/typeddjango/django-stubs/pull/2537/files , where I removed the types for the hashers which were removed in Django.

There is no code left for them, so nothing to fix, right?

Yes the request is for the fix to be ported to 5.1 (ie with a new 5.1.4 release) since people still use django 4.2

agalazis avatar Jun 11 '25 06:06 agalazis

Affected versions of django-stubs are potentially vulnerable to Security Misconfiguration. The inclusion of type stubs for deprecated and insecure password hashers (MD5PasswordHasher, SHA1PasswordHasher, and CryptPasswordHasher) may inadvertently encourage their use in Django applications

This sounds ridiculous to me. Stubs reflect the runtime types as closely as possible, only hiding the internal implementation details (and even that isn't mandatory). Public classes that exist in the actual library and are intended for external use should not be omitted from stubs. Marking them as @deprecated might make sense - but, for example, MD5 hasher serves as a very convenient way to speed up unit tests that need an existing user in the DB, and it is not deprecated in the "will be removed sooner or later" sense.

sterliakov avatar Sep 16 '25 20:09 sterliakov