CVE-2025-27607

Published: Mar 7, 2025

Modified: Mar 7, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.

Vendor	Product	Versions
nhairs	python-json-logger	affected `>= 3.2.0, < 3.3.0`

Weaknesses (CWE)

CWE-829

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24

x_refsource_CONFIRM

https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a

x_refsource_MISC

https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-27607

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References