Warning: potential RCE in Python JSON logger, patch immediately!

Reference:
Advisory #2025-52

Version:
1.0

Affected software:
python-json-logger

Type:
CWE-829: Inclusion of Functionality from Untrusted Control Sphere

CVE/CVSS:
CVE-2025-27607: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27607

Risks

The popular JSON Logger Python package was vulnerable to RCE through a missing dependency. This dependency, msgspec-python313-pre, was removed by the owner, leaving this name to be taken by a malicious actor to perform a supply-chain attack and achieve remote code execution.

There was no malicious activity observed, but any misuse of this library could have had a high impact on Confidentiality, Integrity and Availability. We therefore recommend to patch the Logger Python package and remove msgspec-python313-pre as part of the dependencies from all projects.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The issue is patched in version 3.3.0. If msgspec-python313-pre is still part of your dependencies, you should remove it.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

GitHub Advisory: https://github.com/nhairs/python-json-logger/security/advisories/GHSA-wmxh-pxcx-9w24

PyPi packages: https://pypi.org/project/python-json-logger