Supply Chain Remote Code Execution in python-json-logger CVE-2025-27607

A red and pink background with concentric circles features a white bug icon in the center. Text below reads: python-json-logger Supply Chain Remote Code Execution Vulnerability (CVE-2025-27607). Upwind logo is at the top right.
Moshe Hassan Upwind

By Moshe Hassan

Mar 10, 2025

A critical Remote Code Execution (RCE) vulnerability was recently discovered in python-json-logger, a widely used Python package for structured logging. This flaw, affecting versions 3.2.0 and 3.2.1, arises due to a missing dependency: msgspec-python313-pre. The package was deleted from PyPI, leaving its name unclaimed. This vulnerability highlights a recurring yet dangerous issue in software supply chains—dependency hijacking—where unclaimed or deleted packages can be re-registered by attackers to introduce malicious code.

What Makes python-json-logger Vulnerable?

The vulnerability exists because the package declares an optional dependency, msgspec-python313-pre, in its pyproject.toml file but does not ensure its presence on PyPI. This dependency was removed by its original owner, making it possible for an attacker to register a new package with the same name.

If a malicious actor published msgspec-python313-pre containing a payload, any developer running:

pip install python-json-logger[dev]

Copied

on Python 3.13 would automatically install the attacker’s package. This opens the door to arbitrary code execution during the installation or import of python-json-logger, depending on how the dependency is structured.

The issue persisted because, despite removing the dependency from the repository in commit 1ce81a3, no new version of python-json-logger was published to reflect this change until version 3.3.0. This left users of 3.2.0 and 3.2.1 vulnerable.

Exploitation Steps: How Attackers Could Leverage This

To demonstrate how this attack works, let’s break down the exploitation process:

The attacker gains remote code execution on the developer’s or CI/CD system.

  1. Identify a Missing Dependency:
    • Attackers scan popular packages for dependencies that do not exist on PyPI.
    • Using tools like pipreqs, they can list dependencies and check if any are missing.
  2. Register a Package with Malicious Code:
    • The attacker registers msgspec-python313-pre on PyPI 
    • Inside this package, they include a malicious setup.py script
    • Alternatively, they could embed the payload inside __init__.py so it executes on import.
  3. Wait for Victims to Install the Dependency:
    • Any user running pip install python-json-logger[dev] with Python 3.13 would automatically install the malicious package.
    • The attacker gains remote code execution on the developer’s or CI/CD system.

Real-World Impact: Why This Matters

According to PyPI BigQuery data, python-json-logger receives over 46 million downloads per month. This means that even a small percentage of users installing the dev dependencies could result in widespread compromise.

For organizations relying on CI/CD pipelines that install dependencies dynamically, this could lead to supply chain attacks, compromising sensitive environments and exfiltrating credentials, API keys, or even deploying malware at scale.

How Upwind Helps Detect and Mitigate Supply Chain Attacks

Upwind’s eBPF-based runtime monitoring provides real-time visibility into dependency installations and Python process behavior, helping organizations reduce noise and detect threats before exploitation occurs.

With Upwind, security teams can:

  1. Detect if Python 3.13 is running on critical resources and assess exposure.
  2. Monitor unexpected package installations via pip to flag untrusted dependencies.
  3. Correlate package installs with runtime execution, reducing false positives.
  4. Identify network requests from pip to malicious domains before payload execution.

Upwind enables proactive security by combining static package analysis with runtime behavior detection, providing organizations with the full attack context needed to respond effectively.

Learn More

This vulnerability demonstrates the real-world risks of dependency hijacking and why organizations must closely monitor their software supply chains. By leveraging Upwind’s real-time monitoring, security teams can detect, investigate, and prevent supply chain threats before they lead to full-scale compromises. To learn more about how Upwind protects against dependency hijacking, schedule a demo.

Supply Chain Remote Code Execution in python-json-logger CVE-2025-27607

Further Reading

A pink and red gradient graphic with a target symbol at the center. Text reads: OpenSSH Vulnerabilities Enable Man-in-the-Middle and DoS Attacks (CVE-2025-26465 & CVE-2025-26466). The upwind logo is in the top right corner.
Research

OpenSSH Vulnerabilities CVE-2025-26465 and CVE-2025-26466 Enable Man-in-the-Middle and DoS Attacks

Screenshot 2024-09-25 at 9.12.26 AM Eliad Mualem, Upwind

By Avital Harel & Eliad Mualem

Feb 18, 2025

On February 18, 2025, two critical vulnerabilities were disclosed in OpenSSH, a widely used secure networking utility suite. These flaws, identified as CVE-2025-26465 and CVE-2025-26466, pose significant security risks: Discovery and Response The vulnerabilities were uncovered by the Qualys Threat Research Unit (TRU). They affect OpenSSH client versions 6.8p1 through 9.9p1 and 9.5p1 through 9.9p1, […]

A red background with a white bug icon symbolizes a critical vulnerability. The text reads: Critical Vulnerability Impacting FortiOS and FortiProxy Systems (CVE-2024-55591) with Upwind logo in the top-right corner.
Research

New CVE-2024-5591 Zero-Day Exploitation of Fortinet Firewalls 

Eliad Mualem, Upwind

By Eliad Mualem

Jan 14, 2025

On January 14, 2025, Fortinet announced a critical vulnerability impacting its FortiOS and FortiProxy systems, CVE-2024-55591 is an authentication  bypass zero-day vulnerability that has been actively exploited since mid-November 2024, enabling attackers to hijack Fortinet firewalls and compromise enterprise networks. Successful exploitation grants remote attackers super-admin privileges via malicious requests to the Node.js websocket module. Discovery […]

Abstract pink and red circular design with a small shield icon containing a white virus symbol at the center. The image has a modern, minimalist style, accompanied by the text upwind in the top left corner.
Research

Introducing New Runtime Security Features for Modern Containerized Environments

Eliad Mualem, Upwind

By Eliad Mualem

Jan 14, 2025

At Upwind Security, we continuously enhance our security capabilities to address emerging threats and provide unparalleled runtime protection for containerized environments. In this update, we are excited to introduce new detection and prevention policies designed to secure workloads against sophisticated attacks.  Next-Generation Threat Detections Over the past several weeks we have added additional detection policies […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security