CVE-2025-27607
Published: 07 March 2025
Summary
CVE-2025-27607 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Nhairs Python Json Logger. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-19 (Component Authenticity) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
Python JSON Logger, a JSON formatter for Python logging, contained a remote code execution vulnerability between 30 December 2024 and 4 March 2025. The flaw arose because the msgspec-python313-pre dependency was removed by its owner, leaving its name available for takeover on PyPI; any installation of development dependencies on Python 3.13 (for example, pip install python-json-logger[dev]) would then pull in attacker-controlled code.
An unauthenticated attacker who registered the orphaned package name could execute arbitrary code on affected systems during dependency resolution. The attack requires the victim to explicitly request the optional dev extras and targets only Python 3.13 environments, resulting in full compromise of confidentiality, integrity, and availability.
The project addressed the issue in release 3.3.0 through changes that eliminate reliance on the deleted package, as documented in the accompanying GitHub security advisory and the commits that updated dependency declarations. The EPSS score has remained flat at its peak value of 0.2176 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7799
Vulnerability details
Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the…
more
name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a supply chain attack where an attacker reclaims an abandoned dependency package name on PyPI and publishes malicious code, which is pulled in during 'pip install python-json-logger[dev]' on Python 3.13, directly enabling RCE. This maps to T1195.001: Compromise Software Dependencies and Development Tools.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Verifies the authenticity of software components such as PyPI dependencies to prevent installation of malicious packages claiming abandoned names like msgspec-python313-pre.
Requires verification of component authenticity prior to installation, directly mitigating risks from untrusted or substituted dependencies in package managers like pip.
Enforces integrity checks via hashes or signatures on software and firmware, preventing execution of malicious code from compromised development dependencies.