CVE-2025-27607
Published: 07 March 2025
Description
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Security Summary
CVE-2025-27607 is a remote code execution (RCE) vulnerability in Python JSON Logger, a JSON formatter for Python's logging module. The issue arose between December 30, 2024, and March 4, 2025, due to a missing dependency called msgspec-python313-pre, which was deleted by its owner and left available for claiming by a third party. Users installing development dependencies for Python JSON Logger on Python 3.13, such as via the command "pip install python-json-logger[dev]", were at risk of pulling in a malicious package under that name.
An attacker with no privileges could exploit this by claiming the abandoned package name on the Python Package Index (PyPI) and publishing malicious code. Exploitation requires user interaction, specifically installing the affected development dependencies during the vulnerability window on Python 3.13, after which the attacker achieves RCE with high impacts on confidentiality, integrity, and availability (CVSS 8.8; AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability has been resolved in Python JSON Logger version 3.3.0. GitHub security advisory GHSA-wmxh-pxcx-9w24 and related commits detail the fix, which addresses the dependency issue. Practitioners should upgrade to 3.3.0 or later and review dependency installation practices, particularly for development extras.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a supply chain attack where an attacker reclaims an abandoned dependency package name on PyPI and publishes malicious code, which is pulled in during 'pip install python-json-logger[dev]' on Python 3.13, directly enabling RCE. This maps to T1195.001: Compromise Software Dependencies and Development Tools.