GHSA-6qhv-4h7r-2g9m: 
Python vulnerability analysis and mitigation

The vulnerability (CVE-2025-52556/GHSA-6qhv-4h7r-2g9m) affects rfc3161-client, a Python library implementing the Time-Stamp Protocol (TSP), in versions 1.0.2 and earlier. The vulnerability was discovered and disclosed on June 20, 2025, and involves insufficient verification of timestamp response signatures (GitHub Advisory).

The vulnerability stems from a flaw in the timestamp response signature verification logic. While the system performs chain verification against the TSR's embedded certificates up to the trusted root(s), it fails to verify the TSR's own signature against the timestamping leaf certificates. The vulnerability has been assigned a Critical severity rating with a CVSS v4.0 base score of 9.3 and is classified as CWE-347 (Improper Verification of Cryptographic Signature) (NVD, GitHub Advisory).

The vulnerability allows attackers to introduce any TSR signature as long as the embedded leaf chains up to some root TSA, effectively bypassing the intended security measures. This compromises the integrity of the timestamp verification process, potentially allowing for unauthorized modifications or falsification of timestamps (GitHub Advisory).

Users are advised to immediately upgrade to rfc3161-client version 1.0.3 or later, which contains the patch for this vulnerability. There are no alternative workarounds available, making the upgrade the only solution (GitHub Advisory).