sendgrid-python CVE for dependency ecdsa

Hi,

I noticed you switched from starkbank-ecdsa to ecdsa. There are currently 2 vulnerabilities for ecdsa CVE-2024-23342, PVE-2024-64396.

For now I'm just ignoring them in my CI pipeline, but what would be a better solution going forward?

Thanks

May 28 '25 12:05 trupus

Hello! Thanks for raising the issue. We are taking a look at alternatives.

May 30 '25 08:05 manisha1997

@manisha1997 any updates on this?

Jul 01 '25 11:07 gwynhowell

Paper trail:

starkbank-ecdsa was removed as part of https://github.com/sendgrid/sendgrid-python/pull/1085
ecdsa have no plans to fix the vulnerability: https://github.com/tlsfuzzer/python-ecdsa/issues/330

Jul 28 '25 17:07 avalatea

Hi,

Any update?

Aug 01 '25 19:08 yonatan-shorani

unreal.

https://github.com/tlsfuzzer/python-ecdsa?tab=readme-ov-file#security

Aug 06 '25 00:08 dacevedo12

Hi team,

We’re currently using the SendGrid Python library primarily for sending emails in our application, and our security scanner has flagged a vulnerability (CVE-2024-23342) related to the ecdsa dependency included in the latest release. Given the severity and the absence of a patched version of ecdsa, we’re concerned about the impact on production systems.

We would appreciate it if you could provide an estimated timeline for when the fix might be available.

Thanks for your support!

Aug 19 '25 10:08 an-squared

Any update on this?

Sep 04 '25 20:09 pmdevita

+1 on prioritizing this fix and possibly using #1114 to replace the ecdsa library altogether.

Our product uses sendgrid but will not be upgrading to a vulnerable version of it.

Sep 10 '25 21:09 garikkh

Apologies for the delay! The PR #1114 has been merged and the fix will be available in our coming release. Thanks for your patience!

Sep 11 '25 07:09 tiwarishubham635

When can we expect a release, please?

Sep 19 '25 00:09 msimon3

A new release with the fix is out: thanks! 🙏

Sep 23 '25 09:09 enricomarchesin