The PublicKeyBundle.from_dict() method in openssl_encrypt/modules/key_bundle.py at lines 329-361 creates bundles from untrusted data without verifying the signature. The docstring warns to call verify_signature() after creation, but the to_identity() method (line 363-391) can convert an unverified bundle directly to an Identity object.
The /ready endpoint in openssl_encrypt_server/server.py at lines 159-175 catches database errors and returns the full exception string in the response.
The revoke_key method in openssl_encrypt_server/modules/keyserver/service.py at lines 195-270 accepts a client_id parameter but never verifies that the requesting client is the same as key.owner_client_id.
Both standalone servers configure CORS with allow_origins=[""], allow_credentials=True, allow_methods=[""], and allow_headers=["*"].
Refresh tokens are accepted as URL query parameters in the keyserver and telemetry server routes.
The TOTP brute-force rate limiter in openssl_encrypt_server/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdict(list) as a class variable.
The Whirlpool hash implementation in openssl_encrypt/modules/registry/hash_registry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity.
In openssl_encrypt/modules/json_validator.py at lines 234-238, when the jsonschema library is not installed, all schema validation is silently skipped with only a print warning.
Passwords passed via the –password / -p CLI argument in openssl_encrypt/modules/crypt_cli_subparser.py at lines 150-154 are visible to any user on the system via ps aux or /proc/[pid]/cmdline.
The generate_pseudorandom_sequence() function in openssl_encrypt/plugins/steganography/core/utils.py at lines 89-91 uses Python's random module (Mersenne Twister) for steganographic pixel/sample selection.