Moderate severityNVD Advisory· Published Nov 4, 2012· Updated Apr 29, 2026

CVE-2012-5825

Description

Tweepy does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python httplib library.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tweepyPyPI	< 3.0	3.0

Affected products

Tweepy/Tweepy
cpe:2.3:a:tweepy:tweepy:-:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.cs.utexas.edu/~shmat/shmat_ccs12.pdfnvdExploitWEB
github.com/advisories/GHSA-pwx5-xg7g-wpc5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-5825ghsaADVISORY
exchange.xforce.ibmcloud.com/vulnerabilities/79831nvdWEB
github.com/pypa/advisory-database/tree/main/vulns/tweepy/PYSEC-2012-17.yamlghsaWEB
github.com/tweepy/tweepy/issues/279ghsaWEB
github.com/tweepy/tweepy/pull/400ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000