A critical vulnerability was identified in the python-json-logger library, affecting versions 3.2.0 and 3.2.1. The flaw, CVE-2025-27607, permitted potential arbitrary code execution due to a missing dependency, msgspec-python313-pre, which had been removed but not replaced in releases. Fortunately, mitigation steps were quickly taken by both the researcher who discovered the vulnerability and by PyPI administrators. The researcher secured the package name to prevent malicious use, and PyPI administrators blocked the name to avoid its reclamation by threat actors. A patch was provided in version 3.3.0 of the library. Due to these actions, impact and potential for exploitation were minimized, with the severity rating consequently downgraded from High to Low.
Source: https://cybersecuritynews.com/python-json-logger-vulnerability/
"id": "pyp726040825",
"linkid": "pypi?trk=similar-pages",
"type": "Vulnerability",
"date": "4/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"