What is the CVSS score of CVE-2024-21669?

CVE-2024-21669 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2024-21669?

CVE-2024-21669 presents critical security risk, a signature bypass vulnerability rated CVSS 9.9.. A patch is available.

Is there a public PoC exploit available for CVE-2024-21669?

Yes, a public proof-of-concept exploit is available for CVE-2024-21669. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-21669?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Python CVE-2024-21669

CRITICAL

Improper Verification of Cryptographic Signature (CWE-347)

2024-01-11 security-advisories@github.com

Python Jwt Attack Information Disclosure Aries Cloud Agent

9.9

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:34 vuln.today

Patch released

Mar 28, 2026 - 19:34 nvd

Patch available

PoC Detected

Nov 21, 2024 - 08:54 vuln.today

Public exploit code

CVE Published

Jan 11, 2024 - 06:15 nvd

CRITICAL 9.9

DescriptionGitHub Advisory

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation document.proof was not factored into the final verified value (true/false) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.

AnalysisAI

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-347. Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation document.proof was not factored into the final verified value (true/false) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5. Affected products include: Hyperledger Aries Cloud Agent. Version information: version 0.7.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL Act Now

9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

CVE-2024-21669 vulnerability details – vuln.today

Back