{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27607", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-03T15:10:34.079Z", "datePublished": "2025-03-07T16:18:13.789Z", "dateUpdated": "2025-03-07T17:50:28.395Z"}, "containers": {"cna": {"title": "Python JSON Logger has a Potential RCE via missing `msgspec-python313-pre` dependency", "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "lang": "en", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24"}, {"name": "https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a"}, {"name": "https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72", "tags": ["x_refsource_MISC"], "url": "https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72"}], "affected": [{"vendor": "nhairs", "product": "python-json-logger", "versions": [{"version": ">= 3.2.0, < 3.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-07T16:18:13.789Z"}, "descriptions": [{"lang": "en", "value": "Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0."}], "source": {"advisory": "GHSA-wmxh-pxcx-9w24", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-07T17:50:10.208993Z", "id": "CVE-2025-27607", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T17:50:28.395Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27607", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-07T17:50:10.208993Z"}}}], "references": [{"url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T17:50:22.682Z"}}], "cna": {"title": "Python JSON Logger has a Potential RCE via missing `msgspec-python313-pre` dependency", "source": {"advisory": "GHSA-wmxh-pxcx-9w24", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nhairs", "product": "python-json-logger", "versions": [{"status": "affected", "version": ">= 3.2.0, < 3.3.0"}]}], "references": [{"url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "name": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a", "name": "https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72", "name": "https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-07T16:18:13.789Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27607", "state": "PUBLISHED", "dateUpdated": "2025-03-07T17:50:28.395Z", "dateReserved": "2025-03-03T15:10:34.079Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-07T16:18:13.789Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nhairs:python_json_logger:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA9BD397-6EA3-4A43-B9BD-9EDE62A278FB", "versionEndExcluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0."}, {"lang": "es", "value": "Python JSON Logger es un formateador JSON para el registro de Python. Entre el 30 de diciembre de 2024 y el 4 de marzo de 2025, Python JSON Logger fue vulnerable a RCE debido a una dependencia faltante. Esto ocurri\u00f3 porque el propietario elimin\u00f3 msgspec-python313-pre, lo que dej\u00f3 el nombre abierto a que un tercero lo reclamara. Si se reclamaba el paquete, les permitir\u00eda realizar RCE en cualquier usuario de Python JSON Logger que instalara las dependencias de desarrollo en Python 3.13 (por ejemplo, pip install python-json-logger[dev]). Este problema se ha resuelto con la versi\u00f3n 3.3.0."}], "id": "CVE-2025-27607", "lastModified": "2025-07-01T16:22:57.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-07T17:15:22.433", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-json-logger: Python JSON Logger has a Potential RCE via missing `msgspec-python313-pre` dependency", "id": "2350638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2350638"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-829", "details": ["Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0.", "A flaw was found in the Python JSON Logger library (python-json-logger). In affected versions, python-json-logger was vulnerable to remote code execution (RCE) due to a missing dependency. This issue occurred because `msgspec-python313-pre` was deleted by the owner, leaving the name open to being claimed by a third party. If the package were claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13, such as `pip install python-json-logger[dev]`."], "mitigation": {"lang": "en:us", "value": "No mitigation is available for this issue other than updating the affected package to the version containing the fix."}, "name": "CVE-2025-27607", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "python-json-logger", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "python-json-logger", "product_name": "Red Hat OpenStack Platform 17.1"}], "public_date": "2025-03-07T16:18:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27607\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27607\nhttps://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a\nhttps://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72\nhttps://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24"], "statement": "None of the Red Hat Products and Services are impacted by this vulnerability.", "threat_severity": "Important"}

{}