PyPI: python

CVE-2023-40217

Safety vulnerability ID: SFTY-20230825-66063

Safety legacy ID: pyup.io-60680

Python 3.8.18, 3.9.18, 3.10.13, 3.11.5 and 3.12.0rc2 include a fix for CVE-2023-40217: It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket. https://github.com/python/cpython/issues/108310 https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY

PythonPyPINVDNVD
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Python 3.8.18, 3.9.18, 3.10.13, 3.11.5 and 3.12.0rc2 include a fix for CVE-2023-40217: It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket. https://github.com/python/cpython/issues/108310 https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY

Advisory

Python 3.8.18, 3.9.18, 3.10.13, 3.11.5 and 3.12.0rc2 include a fix for CVE-2023-40217: It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket. https://github.com/python/cpython/issues/108310 https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY

Affected Package

Affecting python package, versions
>=3.12.0a1,<=3.12.0rc1
>=3.11.0a1,<3.11.5
>=3.10.0a1,<3.10.13
>=3.9.0a1,<3.9.18
<3.8.18

Also affects

---

How to Fix

Upgrade
python
to
3.12.0rc2
3.11.5
3.10.13
3.9.18
3.8.18
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more