A recently disclosed vulnerability in the Python JSON Logger library has exposed millions of installations to remote code execution (RCE) attacks. Tracked as GHSA-wmxh-pxcx-9w24, the vulnerability stems from an unregistered dependency called “msgspec-python313-pre.” This flaw allowed attackers to hijack package installations by exploiting the unregistered package name in the PyPI repository. Versions 3.2.0 and 3.2.1 of the Python JSON Logger library were affected, and the flaw scored 8.8/10 on the CVSS severity scale. Researchers found that attackers could have exploited this gap to execute arbitrary code on vulnerable systems using these versions.
The vulnerability arose due to a dependency confusion attack, where attackers exploited an unregistered package name to publish malicious code.
The issue persisted even after a fix was committed to the source code a month earlier. However, it wasn’t included in an official PyPI release until version 3.3.0. Developers using Python 3.13 environments with development dependencies enabled were most at risk. Attackers needed only to publish a malicious package on PyPI, which would then be automatically fetched by vulnerable installations during the setup process.
Security researcher Omnigodz discovered the flaw and confirmed its exploitability in a proof-of-concept, though no evidence of malicious exploitation exists. The vulnerability’s widespread impact is due to the Python JSON Logger’s high download rate, with over 46 million monthly downloads. The flaw was particularly dangerous for users running CI/CD pipelines or developer workstations using Python 3.13. Successful exploitation of the vulnerability would have allowed attackers to gain full control of affected systems, compromising their confidentiality, integrity, and availability.
To address the vulnerability, Python JSON Logger maintainers released version 3.3.0, which removes the problematic dependency.
They also worked with Omnigodz to transfer ownership of the disputed package name, preventing future hijacking attempts. Security experts have urged immediate updates to version 3.3.0, with additional recommendations for auditing Python environments. This incident highlights the increasing number of supply chain attacks, with a 78% rise in such incidents year-over-year. Developers must carefully manage dependencies to prevent similar issues in the future.
