RUSTSEC-2024-0409: 
Rust vulnerability analysis and mitigation

RUSTSEC-2024-0409 affects PyO3 versions 0.23.0 through 0.23.2. The vulnerability is related to a soundness bug in compile configuration where the PYO3CONFIGFILE environment variable is not properly handled, leading to incorrect code generation. The issue was discovered and disclosed in December 2024, affecting Python bindings created with the affected PyO3 versions (PyO3 Issue).

The vulnerability stems from a change in how the PYO3CONFIGFILE environment variable is read, where the code fails to emit the cargo:rerun-if-changed block for it. This causes wheels built in bulk for multiple Python interpreters to not rebuild properly, instead containing code configured for only the first interpreter built. This particularly impacts scenarios where multiple builds are performed in the same directory or when build caching is used (PyO3 Issue).

The bug results in wheels that are highly unstable and can fail in unpredictable ways. This has led to segmentation faults in projects like watchfiles and jiter, as well as unexpected errors in test suites of projects such as pydantic-core. Projects building single ABI3 wheels, like cryptography, are likely unaffected (PyO3 Issue).

The issue has been fixed in PyO3 version 0.23.3. Users are advised to upgrade to this version immediately. The development team has indicated that versions 0.23.0 through 0.23.2 will be yanked from the repository (PyO3 Issue).