GHSA-vxcf-c7mx-pg53: 
Rust vulnerability analysis and mitigation

A critical build corruption vulnerability was discovered in PyO3 versions 0.23.0 through 0.23.2. The issue involves the PYO3_CONFIG_FILE environment variable, which regressed in version 0.23.0, causing it to no longer trigger PyO3 to reconfigure and recompile when changed. This vulnerability was disclosed on December 5, 2024, and affects the PyO3 Rust crate, which is used for building Python extensions (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a regression in PyO3 0.23.0 where the PYO3_CONFIG_FILE environment variable's handling was modified, resulting in the omission of cargo:rerun-if-changed block for it. This technical oversight particularly impacts scenarios where multiple builds are performed in the same directory or when build caching is utilized. The issue is particularly problematic when using tools like maturin to build for multiple Python versions in a single build process (GitHub Issue).

The vulnerability leads to Python wheels being compiled against incorrect Python API versions, resulting in highly unstable artifacts that can crash the Python interpreter in unpredictable ways. This particularly affects projects that distribute artifacts for multiple Python versions. Projects building single abi3 wheels, such as cryptography, are likely unaffected (GitHub Advisory, GitHub Issue).

The vulnerability has been patched in PyO3 version 0.23.3. All users who distribute artifacts for multiple Python versions are strongly encouraged to update to this version and rebuild their packages. The fix addresses the PYO3_CONFIG_FILE environment variable handling to properly trigger reconfigurations and recompiles (GitHub Advisory).