CVE-2024-5642 Overview
A buffer over-read vulnerability exists in CPython 3.9 and earlier versions due to improper input validation in the SSL/TLS implementation. The vulnerability occurs because CPython doesn't disallow configuring an empty list ([]) for SSLContext.set_npn_protocols(), which is an invalid value for the underlying OpenSSL API. When Next Protocol Negotiation (NPN) is used with this invalid configuration, it triggers a buffer over-read condition in the OpenSSL layer (related to CVE-2024-5535).
Critical Impact
Applications using CPython's SSL implementation with NPN protocol negotiation may be vulnerable to information disclosure or denial of service if an empty protocol list is configured.
Affected Products
- CPython 3.9 and earlier versions
- Applications utilizing SSLContext.set_npn_protocols() with NPN
- Systems running vulnerable Python versions with OpenSSL NPN support
Discovery Timeline
- 2024-06-27 - CVE-2024-5642 published to NVD
- 2025-10-07 - Last updated in NVD database
Technical Details for CVE-2024-5642
Vulnerability Analysis
This vulnerability stems from insufficient input validation in CPython's SSL module when handling protocol negotiation settings. The SSLContext.set_npn_protocols() method accepts an empty list as a parameter, despite this being an invalid configuration for the underlying OpenSSL API. When NPN (Next Protocol Negotiation) is subsequently used during TLS handshakes, this invalid state causes OpenSSL to perform a buffer over-read operation.
The vulnerability is network-exploitable without requiring authentication, though its practical impact is somewhat limited. NPN has been largely superseded by ALPN (Application-Layer Protocol Negotiation) in modern deployments, and deliberately configuring an empty protocol list is an uncommon scenario in real-world applications.
Root Cause
The root cause is a missing input validation check in CPython's ssl module. The SSLContext.set_npn_protocols() method should validate that the provided protocol list is non-empty before passing it to OpenSSL. Without this validation, an empty list bypasses expected safeguards and creates an inconsistent state in the OpenSSL context, leading to memory safety issues when NPN callbacks are invoked.
Attack Vector
The attack vector is network-based, requiring an attacker to interact with a vulnerable application during TLS negotiation. The exploitation scenario involves:
- A Python application configures SSLContext with an empty NPN protocol list
- The application initiates or accepts TLS connections with NPN enabled
- During the TLS handshake, OpenSSL's NPN callback accesses unintended memory regions
- This can result in information leakage from adjacent memory or application crashes
The vulnerability requires specific preconditions to be exploitable, making widespread exploitation unlikely. However, affected applications could experience confidentiality breaches through memory disclosure or availability impacts through denial of service.
Detection Methods for CVE-2024-5642
Indicators of Compromise
- Unexpected application crashes during TLS handshakes with NPN negotiation
- Error logs indicating SSL/TLS protocol negotiation failures
- Memory access violations or segmentation faults in Python applications using SSL
- Anomalous network traffic patterns during TLS connection establishment
Detection Strategies
- Audit Python codebases for usage of SSLContext.set_npn_protocols() with empty lists
- Monitor application logs for SSL-related exceptions or unexpected terminations
- Implement static code analysis to identify vulnerable SSL configuration patterns
- Review deployed Python versions and flag installations running 3.9 or earlier
Monitoring Recommendations
- Enable detailed SSL/TLS logging in production applications to capture negotiation anomalies
- Deploy runtime application monitoring to detect unexpected memory access patterns
- Establish baseline metrics for TLS handshake success rates to identify deviations
- Implement alerting for Python process crashes with SSL-related stack traces
How to Mitigate CVE-2024-5642
Immediate Actions Required
- Upgrade CPython to a patched version that validates NPN protocol list inputs
- Review application code for any usage of SSLContext.set_npn_protocols() with empty lists
- Consider migrating from NPN to ALPN for protocol negotiation where supported
- Apply the security patches referenced in the GitHub commits
Patch Information
The Python Security Team has addressed this vulnerability through commits to the CPython repository. The fix adds proper validation to reject empty protocol lists in SSLContext.set_npn_protocols(). Detailed patch information is available through the Python Security Mailing List Thread and the GitHub Issue.
Organizations using affected Python versions should prioritize upgrading to patched releases. The NetApp Security Advisory provides additional vendor-specific guidance for affected deployments.
Workarounds
- Ensure NPN protocol lists always contain at least one valid protocol name before configuration
- Disable NPN entirely if not required by switching to ALPN-only configurations
- Implement application-level validation before calling set_npn_protocols()
- Consider using Python 3.10+ where NPN support has been deprecated
# Configuration example - Validate protocol list before SSL configuration
# Ensure protocols list is non-empty before applying to SSLContext
# Example validation in application code:
# if protocols and len(protocols) > 0:
# ssl_context.set_npn_protocols(protocols)
# else:
# # Use ALPN instead or skip NPN configuration
# ssl_context.set_alpn_protocols(['http/1.1', 'h2'])
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
