CVE-2025-27607

{"id": "CVE-2025-27607", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-03-07T17:15:22.433", "references": [{"url": "https://github.com/nhairs/python-json-logger/commit/2548e3a2e3cedf6bef3ee7c60c55b7c02d1af11a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nhairs/python-json-logger/commit/e7761e56edb980cfab0165e32469d5fd017a5d72", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-829"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Python JSON Logger is a JSON Formatter for Python Logging. Between 30 December 2024 and 4 March 2025 Python JSON Logger was vulnerable to RCE through a missing dependency. This occurred because msgspec-python313-pre was deleted by the owner leaving the name open to being claimed by a third party. If the package was claimed, it would allow them RCE on any Python JSON Logger user who installed the development dependencies on Python 3.13 (e.g. pip install python-json-logger[dev]). This issue has been resolved with 3.3.0."}, {"lang": "es", "value": "Python JSON Logger es un formateador JSON para el registro de Python. Entre el 30 de diciembre de 2024 y el 4 de marzo de 2025, Python JSON Logger fue vulnerable a RCE debido a una dependencia faltante. Esto ocurri\u00f3 porque el propietario elimin\u00f3 msgspec-python313-pre, lo que dej\u00f3 el nombre abierto a que un tercero lo reclamara. Si se reclamaba el paquete, les permitir\u00eda realizar RCE en cualquier usuario de Python JSON Logger que instalara las dependencias de desarrollo en Python 3.13 (por ejemplo, pip install python-json-logger[dev]). Este problema se ha resuelto con la versi\u00f3n 3.3.0."}], "lastModified": "2025-07-01T16:22:57.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nhairs:python_json_logger:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA9BD397-6EA3-4A43-B9BD-9EDE62A278FB", "versionEndExcluding": "3.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}