Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: potential RCE in Python JSON logger, patch immediately!
Image
Published : 10/03/2025
Reference:
Advisory #2025-52
Version:
1.0
Affected software:
python-json-logger
Type:
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CVE/CVSS:
CVE-2025-27607: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Sources
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27607
Risks
The popular JSON Logger Python package was vulnerable to RCE through a missing dependency. This dependency, msgspec-python313-pre, was removed by the owner, leaving this name to be taken by a malicious actor to perform a supply-chain attack and achieve remote code execution.
There was no malicious activity observed, but any misuse of this library could have had a high impact on Confidentiality, Integrity and Availability. We therefore recommend to patch the Logger Python package and remove msgspec-python313-pre as part of the dependencies from all projects.
Description
CVE-2025-27607, CVSS 8.8
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
This vulnerability stems from an dependency in the Python JSON Logger called msgspec-python313-pre. As it was removed by the owner, it left the name open for attackers to register a new package under the same name and achieve remote code execution on systems depend on it. At the moment of writing, a package with the same name is active and owned by a researcher as a PoC.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The issue is patched in version 3.3.0. If msgspec-python313-pre is still part of your dependencies, you should remove it.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
GitHub Advisory: https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24
PyPi packages: https://pypi.org/project/python-json-logger