VYPR
← All advisories
High severityNVD Advisory· Published Nov 12, 2019· Updated Aug 6, 2024

CVE-2014-7143

CVE-2014-7143

Description

Python Twisted 14.0 trustRoot is not respected in HTTP client

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Twisted HTTP client ignored user-specified trustRoot, accepting any CA-signed certificate instead of restricting trust.

Vulnerability

Description

Python Twisted up to version 14.0 contains a flaw in its HTTP client where the trustRoot parameter is not respected. When users specify a custom CA store to restrict which certificates are trusted (e.g., for certificate pinning), Twisted disregards this setting and falls back to the platform's default trust store [1][3]. This means any certificate signed by a recognized CA is accepted, regardless of the user's intentions.

Exploitation

An attacker can exploit this vulnerability by positioning themselves as a man-in-the-middle. Since the HTTP client will accept any certificate signed by a CA in the default trust store, the attacker can present a valid certificate from a public CA without triggering a warning. No additional authentication is required beyond the ability to intercept or redirect the client's network traffic [3].

Impact

Users relying on certificate pinning or restricting trust to specific CAs lose that protection. An attacker can impersonate legitimate HTTPS servers, leading to potential data interception, leakage, or manipulation. The impact is high as it undermines the security guarantees of TLS [1].

Mitigation

The issue is fixed in Twisted version 14.0.1. Users should upgrade to this version or later. No workaround is available other than ensuring the library is updated [3].

References
  1. NVD - CVE-2014-7143
  2. security - Re: Twisted Security Issue

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
TwistedPyPI
>= 14.0.0, < 14.0.114.0.1

Affected products

2

Patches

1
3b5942252f5f

Applying patch from Glyph & Alex Gaynor, reviewed by David Reid

https://github.com/twisted/twistedhawkowlSep 17, 2014via ghsa
commit
3 files changed · +25 1
  • twisted/web/client.py+2 1 modified
    @@ -870,7 +870,8 @@ def creatorForNetloc(self, hostname, port):
         @rtype: L{client connection creator
             <twisted.internet.interfaces.IOpenSSLClientConnectionCreator>}
         """
-        return optionsForClientTLS(hostname.decode("ascii"))
+        return optionsForClientTLS(hostname.decode("ascii"),
+                                   trustRoot=self._trustRoot)
  • twisted/web/test/test_agent.py+22 0 modified
    @@ -40,6 +40,7 @@
 from twisted.python.deprecate import getDeprecationWarningString
 from twisted.python.versions import Version
 from twisted.web.client import BrowserLikePolicyForHTTPS
+from twisted.internet._sslverify import IOpenSSLTrustRoot
 from twisted.web.error import SchemeNotSupported
 
 try:
@@ -1254,6 +1255,27 @@ def warnMe():
         )
 
 
+    def test_alternateTrustRoot(self):
+        """
+        L{BrowserLikePolicyForHTTPS.creatorForNetloc} returns an
+        L{IOpenSSLClientConnectionCreator} provider which will add certificates
+        from the given trust root.
+        """
+        @implementer(IOpenSSLTrustRoot)
+        class CustomOpenSSLTrustRoot(object):
+            called = False
+            context = None
+            def _addCACertsToContext(self, context):
+                self.called = True
+                self.context = context
+        trustRoot = CustomOpenSSLTrustRoot()
+        policy = BrowserLikePolicyForHTTPS(trustRoot=trustRoot)
+        creator = policy.creatorForNetloc(b"thingy", 4321)
+        self.assertTrue(trustRoot.called)
+        connection = creator.clientConnectionForTLS(None)
+        self.assertIs(trustRoot.context, connection.get_context())
+
+
 
 class WebClientContextFactoryTests(TestCase):
     """
  • twisted/web/topfiles/7647.bugfix+1 0 added
    @@ -0,0 +1 @@
+BrowserLikePolicyForHTTPS would always ignore the specified trustRoot and use the system trust root instead, which has been rectified.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.