CVE-2024-5642 is a vulnerability identified in CPython versions 3.9 and earlier, related to the handling of the SSLContext.set_npn_protocols() method. This method allows configuration of Next Protocol Negotiation (NPN) protocols for SSL/TLS connections. The vulnerability occurs because CPython does not prevent an empty list ("[]") from being set as the NPN protocols, which is invalid for the underlying OpenSSL API. When an empty list is configured, it causes a buffer over-read condition in OpenSSL (linked to CVE-2024-5535), potentially leading to information disclosure or application instability. NPN is a TLS extension used to negotiate the protocol (e.g., HTTP/2) during the TLS handshake, but it is not widely adopted, having been largely superseded by ALPN (Application-Layer Protocol Negotiation). The vulnerability has a CVSS 3.1 base score of 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality and availability impact. There is no known exploitation in the wild at this time. The flaw primarily affects applications that use CPython’s SSL module with NPN enabled and configure an empty protocol list, which is an uncommon scenario. The issue can lead to a buffer over-read, which might expose sensitive memory contents or cause a denial of service due to application crashes. The vulnerability was reserved in early June 2024 and published later that month, with no patches currently linked, indicating that users should monitor for updates from the Python Software Foundation. This vulnerability highlights the importance of input validation in security-sensitive APIs and the risks of legacy protocol support in cryptographic libraries.

For European organizations, the impact of CVE-2024-5642 is moderate but context-dependent. Organizations running Python-based applications that utilize SSL/TLS with NPN enabled and that might inadvertently configure empty protocol lists could face confidentiality risks due to buffer over-reads exposing memory contents. Availability could also be affected if the buffer over-read causes application crashes or service disruptions. However, since NPN is not widely used and empty lists are unlikely to be configured in practice, the overall risk is limited. Critical infrastructure, financial services, and technology companies that rely heavily on Python for network services or automation could be more exposed, especially if they have legacy systems or custom SSL configurations. The vulnerability does not affect integrity and requires no authentication or user interaction, making remote exploitation feasible but constrained by the uncommon triggering conditions. The lack of known exploits in the wild reduces immediate risk but does not eliminate the need for vigilance. Organizations should assess their use of CPython SSL features and consider the potential for indirect impacts on dependent services and supply chains.

To mitigate CVE-2024-5642, European organizations should: 1) Upgrade CPython to the latest supported versions where this vulnerability is addressed or where input validation for SSLContext.set_npn_protocols() is enforced. 2) Audit codebases and configurations to ensure that empty lists are not passed to set_npn_protocols(), and avoid using NPN where possible, favoring ALPN instead. 3) Monitor Python Software Foundation and OpenSSL advisories for patches and apply them promptly once available. 4) Implement runtime monitoring and anomaly detection for unexpected SSL/TLS handshake behaviors that could indicate exploitation attempts. 5) Conduct security testing on Python applications that use SSL/TLS to identify and remediate unsafe protocol configurations. 6) For critical systems, consider network segmentation and limiting exposure of vulnerable services to reduce attack surface. 7) Educate developers and system administrators about the risks of legacy TLS extensions and the importance of secure protocol negotiation configurations. These steps go beyond generic advice by focusing on code audit, configuration hygiene, and proactive monitoring specific to the vulnerability’s nature.