GHSA-j48q-4c78-rhf9: openssl-encrypt: Dynamic .so loading for Whirlpool uses broad glob pattern without integrity verification

March 31, 2026

The Whirlpool hash implementation in openssl_encrypt/modules/registry/hash_registry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity.

References

github.com/advisories/GHSA-j48q-4c78-rhf9
github.com/jahlives/openssl_encrypt
github.com/jahlives/openssl_encrypt/commit/963d0d1278b722ea134272f9df65fddcd3e6ab47
github.com/jahlives/openssl_encrypt/security/advisories/GHSA-j48q-4c78-rhf9

Code Behaviors & Features

Detect and mitigate GHSA-j48q-4c78-rhf9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →