Cyber Resilience

CVE-2025-27607

HighPublic PoC

Published: 07 March 2025

Published
07 March 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2176 95.9th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27607 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Nhairs Python Json Logger. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-19 (Component Authenticity) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

Python JSON Logger, a JSON formatter for Python logging, contained a remote code execution vulnerability between 30 December 2024 and 4 March 2025. The flaw arose because the msgspec-python313-pre dependency was removed by its owner, leaving its name available for takeover on PyPI; any installation of development dependencies on Python 3.13 (for example, pip install python-json-logger[dev]) would then pull in attacker-controlled code.

An unauthenticated attacker who registered the orphaned package name could execute arbitrary code on affected systems during dependency resolution. The attack requires the victim to explicitly request the optional dev extras and targets only Python 3.13 environments, resulting in full compromise of confidentiality, integrity, and availability.

The project addressed the issue in release 3.3.0 through changes that eliminate reliance on the deleted package, as documented in the accompanying GitHub security advisory and the commits that updated dependency declarations. The EPSS score has remained flat at its peak value of 0.2176 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the…

more

name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

The CVE describes a supply chain attack where an attacker reclaims an abandoned dependency package name on PyPI and publishes malicious code, which is pulled in during 'pip install python-json-logger[dev]' on Python 3.13, directly enabling RCE. This maps to T1195.001: Compromise Software Dependencies and Development Tools.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27510Shared CWE-829
CVE-2026-43569Shared CWE-829
CVE-2026-22865Shared CWE-829
CVE-2025-15612Shared CWE-829
CVE-2026-26974Shared CWE-829
CVE-2026-28372Shared CWE-829
CVE-2026-4295Shared CWE-829
CVE-2026-40959Shared CWE-829
CVE-2025-70046Shared CWE-829
CVE-2026-32920Shared CWE-829

Affected Assets

nhairs
python json logger
≤ 3.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies the authenticity of software components such as PyPI dependencies to prevent installation of malicious packages claiming abandoned names like msgspec-python313-pre.

prevent

Requires verification of component authenticity prior to installation, directly mitigating risks from untrusted or substituted dependencies in package managers like pip.

prevent

Enforces integrity checks via hashes or signatures on software and firmware, preventing execution of malicious code from compromised development dependencies.

References