A significant vulnerability has been uncovered in the Python JSON Logger package (python-json-logger), affecting versions 3.2.0 and 3.2.1.
This flaw, CVE-2025-27607 allows for remote code execution (RCE) due to misusing a missing dependency known as msgspec-python313-pre.
The issue gained widespread attention due to a recent experiment demonstrating how malicious actors could exploit this vulnerability by claiming and manipulating the missing dependency.
Details of the Vulnerability
The problem arose when the msgspec-python313-pre dependency was deleted from PyPi.
This deletion left the dependency name available for anyone to claim, potentially allowing malicious actors to publish a package with the same name.
If a malicious actor were to claim the dependency, users who installed the development dependencies of python-json-logger using pip install python-json-logger[dev] on Python 3.13 could unknowingly download and execute malicious code.
The vulnerability was discovered during research on supply chain attacks by @omnigodz. The researcher identified that while the dependency was not present in PyPi, it was still declared in the pyproject.toml file of python-json-logger version 3.2.1.
Affected Versions
To demonstrate the vulnerability without causing harm, the researcher temporarily published a non-malicious package under the same name and then deleted it.
This action prevented potential malicious actors from exploiting the vulnerability by ensuring the package name is now associated with a trusted entity.
Impact and Response
The python-json-logger package is widely used, with over 46 million monthly downloads, according to the official PyPi BigQuery database.
Although there is no evidence that the vulnerability was exploited before its public disclosure, the potential impact is significant.
Any user installing the development dependencies of python-json-logger could have been at risk if a malicious actor had claimed the msgspec-python313-pre dependency.
To address this issue, the maintainers of python-json-logger have released version 3.3.0, which no longer includes the vulnerable dependency.
Users of affected versions are advised to update to the latest version as soon as possible to mitigate the risk of RCE attacks.
This incident highlights the importance of maintaining and securing dependencies in software packages.
It also underscores the need for vigilance in supply chain security within open-source ecosystems.
While this particular vulnerability has been addressed, it serves as a reminder for developers and users alike to stay informed about potential security risks and to keep their software up-to-date.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
