CVE-2025-27607
Published: 07 March 2025
Summary
CVE-2025-27607 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Nhairs Python Json Logger. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-19 (Component Authenticity) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Verifies the authenticity of software components such as PyPI dependencies to prevent installation of malicious packages claiming abandoned names like msgspec-python313-pre.
Requires verification of component authenticity prior to installation, directly mitigating risks from untrusted or substituted dependencies in package managers like pip.
Enforces integrity checks via hashes or signatures on software and firmware, preventing execution of malicious code from compromised development dependencies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a supply chain attack where an attacker reclaims an abandoned dependency package name on PyPI and publishes malicious code, which is pulled in during 'pip install python-json-logger[dev]' on Python 3.13, directly enabling RCE. This maps to T1195.001: Compromise Software Dependencies and Development Tools.
NVD Description
Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the…
more
name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.
Deeper analysisAI
CVE-2025-27607 is a remote code execution (RCE) vulnerability in Python JSON Logger, a JSON formatter for Python's logging module. The issue arose between December 30, 2024, and March 4, 2025, due to a missing dependency called msgspec-python313-pre, which was deleted by its owner and left available for claiming by a third party. Users installing development dependencies for Python JSON Logger on Python 3.13, such as via the command "pip install python-json-logger[dev]", were at risk of pulling in a malicious package under that name.
An attacker with no privileges could exploit this by claiming the abandoned package name on the Python Package Index (PyPI) and publishing malicious code. Exploitation requires user interaction, specifically installing the affected development dependencies during the vulnerability window on Python 3.13, after which the attacker achieves RCE with high impacts on confidentiality, integrity, and availability (CVSS 8.8; AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability has been resolved in Python JSON Logger version 3.3.0. GitHub security advisory GHSA-wmxh-pxcx-9w24 and related commits detail the fix, which addresses the dependency issue. Practitioners should upgrade to 3.3.0 or later and review dependency installation practices, particularly for development extras.
Details
- CWE(s)