A critical vulnerability in the widely-used python-json-logger library has been identified, potentially allowing attackers to execute arbitrary code on affected systems.
The flaw, tracked as CVE-2025-27607 with an initial CVSS score of 8.8, affects versions 3.2.0 and 3.2.1 of the package and stems from an issue with a missing dependency.
Security researcher @omnigodz discovered the vulnerability while conducting experimental research on supply chain attacks.
The researcher identified that the python-json-logger package declared a dependency named msgspec-python313-pre in its pyproject.toml file, but this dependency was not present on PyPI and not registered by any entity.
“During my research, I discovered a significant flaw affecting packages published on package managers,” explained @omnigodz.
“I was able to identify that the PyPi package ‘python-json-logger’ uses an optional dependency that wasn’t present on the PyPi repository nor registered by any entity.”
The vulnerability arises because the msgspec-python313-pre dependency was deleted by its owner, leaving the name available for anyone to claim.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
This created a scenario where a malicious actor could publish a package with the same name containing harmful code.
Proof-of-Concept (PoC)
When users install python-json-logger with its development dependencies using the command pip install python-json-logger[dev] on Python 3.13 environments, they would unwittingly download and execute the malicious package.
To demonstrate the vulnerability without causing harm, the researcher temporarily published a non-malicious package under the same name and then deleted it, effectively preventing exploitation by malicious actors.
The researcher has retained registration of the package name to prevent others from using it maliciously.
“This release did not have any malicious content as I do not want to break any policies set by PyPi.org and neither want to infect any of the users of the python-json-logger package,” stated the researcher.
The python-json-logger package is extremely popular, with over 43 million monthly downloads according to the PyPI BigQuery database. This widespread usage significantly amplifies the potential impact of the vulnerability.
The issue occurred because despite the dependency being removed from the project repository through commit 1ce81a3 about a month ago, the changes were never pushed to a new version after 3.2.1, leaving users of those versions vulnerable.
The Centre for Cybersecurity Belgium issued a warning, stating: “We strongly recommend installing updates for vulnerable devices with the highest priority, after thorough testing.”
Mitigations
The vulnerability has been patched in version 3.3.0, which users should upgrade to immediately. Additionally, PyPI administrators have taken steps to block the name of the missing package, preventing it from being reclaimed by malicious actors.
Due to these protective measures, the severity rating has been downgraded from High to Low.
Organizations using the affected library are advised to check their dependencies, upgrade to the patched version, and monitor for suspicious activity. If msgspec-python313-pre is still part of your dependencies, it should be removed immediately.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try 50 Request for Free