DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8F6J-263M-G72X: GHSA-8F6J-263M-G72X: OCSP Revocation Checking Bypass in Apple App Store Server Python Library

GHSA-8F6J-263M-G72X: OCSP Revocation Checking Bypass in Apple App Store Server Python Library

Vulnerability ID: GHSA-8F6J-263M-G72X
CVSS Score: 6.9
Published: 2026-07-13

A cryptographic validation flaw in the Apple App Store Server Python Library allows an attacker to bypass Online Certificate Status Protocol (OCSP) revocation checks. When online verification is enabled, the library fails to validate temporal constraints on OCSP response payloads. This flaw enables network-positioned adversaries to perform OCSP replay attacks, forcing the application to accept JSON Web Signatures (JWS) signed by revoked certificates.

TL;DR

An input verification flaw in apple-store-server-library (<=3.1.1) allows attackers to replay expired OCSP responses, validating revoked certificates and bypassing signature authentication boundaries.


Technical Details

  • CWE ID: CWE-295, CWE-299
  • Attack Vector: Network
  • CVSS v4.0: 6.9 (Medium)
  • Exploit Status: none (theoretical)
  • Vulnerable Versions: >= 0.2.0, <= 3.1.1
  • Fixed Version: 3.1.2

Affected Systems

  • Apple App Store Server Python Library (app-store-server-library) on Python/PyPI environments
  • app-store-server-library: >= 0.2.0, <= 3.1.1 (Fixed in: 3.1.2)

Mitigation Strategies

  • Upgrade Python dependency app-store-server-library to at least 3.1.2
  • Review security configurations to ensure clock synchronization protocols like NTP are active on all servers running verification tasks
  • Establish strict egress filtering to limit external network interactions if signature checking occurs in isolated execution units

Remediation Steps:

  1. Identify all deployment nodes and virtual environments using app-store-server-library
  2. Modify requirement configurations (requirements.txt, pyproject.toml, or Pipfile) to specify >=3.1.2
  3. Re-run pip-audit or equivalent Software Composition Analysis (SCA) to verify package dependencies are secure

References


Read the full report for GHSA-8F6J-263M-G72X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)