CVE-2022-23491
Trust Store Compromise vulnerability in certifi (PyPI)

Trust Store Compromise No known exploit Fixable By Resolved Security

What is CVE-2022-23491 About?

This vulnerability involves the removal of TrustCor root certificates from the Certifi root store due to concerns over the certificate authority's ownership operating spyware. While not a direct system compromise, it ensures that applications relying on Certifi will no longer trust certificates issued by TrustCor. This is a preventative measure, not an exploitable flaw in Certifi itself.

Affected Software

  • certifi
    • >2017.11.5, <2022.12.7
    • >2017.11.05, <2022.12.07

Technical Details

Certifi version 2022.12.07 removes specific root certificates associated with 'TrustCor' from its bundled root certificate store. This action is a direct response to an investigation by Mozilla, prompted by media reports indicating that TrustCor's ownership also managed a business that developed spyware. The removal effectively revokes trust in any certificates issued by TrustCor within applications that depend on Certifi for their trust store. While Certifi itself does not have an exploitable vulnerability, the implications could arise if an application implicitly trusted these now-removed root certificates, leading to potential issues with TLS/SSL validation for certificates issued by TrustCor if not updated, or preventing connections where TrustCor certificates were previously used.

What is the Impact of CVE-2022-23491?

Successful exploitation may allow attackers to impersonate legitimate services if TrustCor certificates were previously used for malicious purposes, or prevent applications from connecting to services relying on revoked TrustCor certificates, leading to connection failures.

What is the Exploitability of CVE-2022-23491?

This is not a traditional exploitable vulnerability in the sense of direct remote code execution or data theft. Instead, it's a measure taken to mitigate a potential trust issue. There are no direct complexity, authentication, or privilege requirements for an attacker as it relies on ecosystem-wide trust revocation. The 'exploitation' would involve an attacker having previously compromised a system or service to use a TrustCor certificate for malicious purposes (e.g., man-in-the-middle attacks, malicious website hosting). The removal of these roots aims to prevent such scenarios from being trusted by applications using Certifi. The risk factor is not about exploiting Certifi, but about the broader implications of trusting a potentially compromised CA.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-23491?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch removes several untrusted or no longer trusted certificate authorities (Network Solutions, Staat der Nederlanden EV Root CA, and multiple TrustCor roots) from the certifi cacert.pem trust store and adds tests to verify their removal. By eliminating these certificates, the patch mitigates the risk of compromised, misused, or otherwise insufficiently trustworthy CAs being used for TLS connections, directly addressing and fixing CVE-2022-23491.

Available Upgrade Options

  • certifi
    • >2017.11.5, <2022.12.7 → Upgrade to 2022.12.7
  • certifi
    • >2017.11.05, <2022.12.07 → Upgrade to 2022.12.07

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-23491?

Similar Vulnerabilities: CVE-2017-1529 , CVE-2017-1528 , CVE-2011-3057 , CVE-2013-6401 , CVE-2014-1490

All Rights reserved 2025
Privacy Policy