A recent security disclosure has revealed a remote code execution (RCE) vulnerability, CVE-2025-27607, in the Python JSON Logger package, affecting versions between 3.2.0 and 3.2.1.
This vulnerability arises from a missing dependency, “msgspec-python313-pre,” which could be exploited by malicious actors if they published a package under the same name.
Although the severity has been downgraded to “Low,” the issue underscores the risks in supply chain security within open-source ecosystems.
- Weakness: CWE-829 – Inclusion of Functionality from Untrusted Control Sphere
- Severity: Low (originally rated High at 8.8 under CVSS 3.1)
CVE-2025-27607: Vulnerability Summary
Between December 30, 2024, and March 4, 2025, the PyPI package python-json-logger was vulnerable to RCE due to a missing dependency.
The package specified msgspec-python313-pre as an optional development dependency. However, this dependency was deleted from PyPI, leaving the name open for a third party to claim and potentially add malicious code to the package.
While the vulnerability was discovered during experimental research, the researcher (@omnigodz) did not exploit it maliciously.
They registered the dependency and published a release solely for demonstration purposes, later deleting the release. PyPI administrators have since blocked the name to prevent further claims.
Proof of Concept (PoC)
The vulnerability was demonstrated during research on supply chain attacks.
If a malicious actor claimed the msgspec-python313-pre package, any user installing python-json-logger[dev] dependencies on Python 3.13.x could inadvertently download malicious code.
The researcher provided a detailed report on this attack scenario.
Affected Products
| Package Name | Affected Versions | Patched Versions |
| python-json-logger (pip) | 3.2.0, 3.2.1 | ≥ 3.3.0 |
Python JSON Logger, which has seen over 46 million monthly downloads on PyPI, is widely used to format JSON-based log records.
If the msgspec-python313-pre dependency were exploited by a threat actor, all users of the affected Python JSON Logger versions could be exposed to arbitrary code execution, resulting in potential malware infection.
The vulnerability has been addressed in version 3.3.0 of the Python JSON Logger. Users are advised to upgrade to this version immediately to mitigate risks. Steps to remediate include:
- Upgrade to the patched version >=3.3.0 using the command:
pip install python-json-logger --upgrade - Verify dependencies before installing packages, especially development dependencies.
This incident highlights critical supply chain security concerns in open-source projects. Developers maintaining packages should regularly audit dependencies and push updates when removing deprecated elements.
While the immediate threat has been mitigated, the disclosure underscores the importance of vigilance in package management ecosystems.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
