PYSEC-2023-234 (esptool): missing fixed version, upstream issue closed

[Spunky84]

Vulnerability

PYSEC-2023-234 / CVE-2023-46894 — esptool "Cryptographic API Misuse Vulnerability: AES ECB used for initialization"

Problem

The advisory does not specify a fixed version. The upstream issue (espressif/esptool#926) has been closed by the maintainers. The explanation is that AES ECB usage is a hardware limitation of early ESP32 revisions (pre-ECO3), not a software bug that can be patched.

The latest esptool release is 5.2.0 (2025-02-18), but osv-scanner still flags it because no fixed version is recorded in the advisory.

Suggested action

Either:

• Mark the advisory as fixed in a specific version, or
• Add a note that this is a hardware limitation acknowledged and closed by the maintainer, so downstream scanners can stop flagging current versions.

References

• OSV: https://osv.dev/vulnerability/PYSEC-2023-234
• Upstream issue: Cryptographic API Misuse Vulnerability: AES ECB used for initialization (ESPTOOL-756) espressif/esptool#926 (closed)
• Latest release: https://github.com/espressif/esptool/releases/tag/v5.2.0

[gnought]

espressif/esptool#926 (comment)

As comment, there's no fixed version. ECB is still used in older Espressif chips which they plan to continue supporting in esptools.

[Spunky84]

@gnought is right — there is no fixed version, and there won't be one. Building on that point, I believe this advisory should be withdrawn entirely.

Why this is not a software vulnerability

The AES ECB code in esptool exists because early ESP32 chip revisions (pre-ECO3) physically require it for Secure Boot v1 and flash encryption. The hardware has no support for other modes — esptool simply implements the protocol the chip demands. As gnought noted, Espressif plans to continue supporting these older chips, so the ECB code path will remain. (Espressif maintainer confirmation)

Newer chip families (ESP32-S2, S3, C3, etc.) use AES-XTS and RSA-3072/ECDSA, and esptool supports those as well (since v3.0/v3.1). But removing ECB would break support for hardware that is still in active use.

Why fixed doesn't apply either

There is no version of esptool that "fixes" this, because there is nothing to fix:

• Removing ECB would break support for existing hardware
• The ECB code is present in every version, including the latest (v5.2.0)
• The original reporter flagged ECB usage without considering the hardware context

This is comparable to an SSH client supporting legacy protocol versions for older servers — the presence of a weaker code path for compatibility is not a vulnerability in the tool itself.

Suggested resolution

Withdraw PYSEC-2023-234. The weakness is in the ESP32 silicon, not in esptool. Keeping this advisory active causes every version of esptool to be flagged indefinitely, with no actionable remediation for users.

References:

• Espressif maintainer statement: espressif/esptool#926 (comment)
• ESP-IDF docs: Secure Boot v1, Flash Encryption
• Secure Boot V2 added in esptool v3.0 (Nov 2020), AES-XTS in v3.1 (May 2021)