CVE-2024-3219 MEDIUM

CVE-2024-3219: Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection

Vendor Python Software Foundation

Product CPython

Published July 29, 2024

Last update May 2, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.

Key dates

Disclosure timeline

July 29, 2024 CVE published

May 2, 2025 Record updated

Identifiers

CVE CVE-2024-3219

CVSS 5.1 / MEDIUM

Affected versions

Vendor Python Software Foundation

Product CPython

Affected < 3.8.20

Vendor Python Software Foundation

Product CPython

Affected ≥ 3.9.0 and < 3.9.20

Vendor Python Software Foundation

Product CPython

Affected ≥ 3.10.0 and < 3.10.15

Vendor Python Software Foundation

Product CPython

Affected ≥ 3.11.0 and < 3.11.10

Vendor Python Software Foundation

Product CPython

Affected ≥ 3.12.0 and < 3.12.5

Vendor Python Software Foundation

Product CPython

Affected ≥ 3.13.0a1 and < 3.13.0rc1