In the library python json logger, a vulnerability was revealed (CVE-2025-27607) that allows for the replacement of dependencies through the PYPI catalog and potential execution of malicious code using this package. This library, which enables logging in json format, has been downloaded 40 million times in the past month as per statistics. The issue has been resolved in version python json logger 3.3.0, which was released on March 7.
The vulnerability stems from the inclusion of the library “MSGSPEC-PYTHON313-PRE” among optional dependencies of Python Json Logger, as indicated. The authors of this library removed their project from the Pypi catalog in December 2024 without informing developers of dependent packages. This opened the door for potential attackers to upload a library with the same name to Pypi and have it picked up during the assembly of Python Json Logger.
A researcher discovered the new package named msgspec-python313-Pre and demonstrated the exploitation of Python Json Logger with dependencies by running the command “Pip Install Python-Json-Logger [DEV]” on systems with Python 3.13.