PyPI Warehouse

Findings · 14

1. 1 OIDC JTI anti-replay lock expires before JWT leeway window closes Medium
2. 2 OIDC token minting is vulnerable to a TOCTOU race in JTI anti-replay Low
3. 3 Verification badge bypass on the home page and download URLs Low
4. 4 Project-level token deletion audit events silently dropped due to data structure mismatch Low
5. 5 Password reset leaks privileged account status Low
6. 6 IP ban bypass via macaroon API token authentication Informational
7. 7 Moderators can modify organization applications due to a missing write permission check Low
8. 8 Organization members can invite new owners due to a missing manage permission check High
9. 9 TOTP replay prevention bypass via space normalization mismatch between validation and storage Informational
10. 10 Wheel METADATA is served to installers without validation against upload metadata Low
11. 11 IDOR in API token deletion allows any authenticated user to delete other users’ macaroons Low
12. 12 GitHub OIDC publisher lookup lacks issuer URL isolation for custom GHES issuers Informational
13. 13 Organization-scoped project associations persist after project transfer or removal High
14. 14 Admin flag changes lack audit logging Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.