CVE-2025-27607: python-json-logger dependency hijack
CVE-2025-27607 (python-json-logger dependency hijack) is a supply-chain risk (unclaimed optional dependency) vulnerability in python-json-logger (PyPI). As of 2026-06-18 it carries a 1.5% probability of exploitation in the next 30 days (EPSS). It is fixed in 3.3.0 — if you depend on an earlier version, upgrade.
| Severity | Critical |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS (exploit probability, 30d) | 1.5% · 70th percentile |
| Vulnerability type | Supply-Chain Risk (unclaimed optional dependency) |
| Affected package | python-json-logger (PyPI) |
| Fixed in | 3.3.0 |
What is CVE-2025-27607?
python-json-logger referenced an optional development dependency, msgspec-python313-pre, that had been deleted from PyPI, freeing the name for anyone to claim. Installing the dev extras on Python 3.13 would auto-fetch that name, so a malicious actor could have published code achieving remote code execution on installer machines. A researcher defensively claimed and removed the name and the dependency was dropped in 3.3.0.
Is CVE-2025-27607 exploitable?
CVE-2025-27607 has an EPSS score of 1.5% (70th percentile), meaning a 1.5% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which scores as Critical severity. It is a supply-chain risk (unclaimed optional dependency) issue.
What is the EPSS score for CVE-2025-27607?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2025-27607 is 1.5% (70th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2025-27607?
Upgrade python-json-logger to 3.3.0 or later. python-json-logger referenced an optional development dependency, msgspec-python313-pre, that had been deleted from PyPI, freeing the name for anyone to claim. Installing the dev extras on Python 3.13 would auto-fetch that name, so a malicious actor could have published code achieving remote code execution on installer machines. A researcher defensively claimed and removed the name and the dependency was dropped in 3.3.0.
Am I affected by CVE-2025-27607?
You are affected if your project (directly or transitively) depends on a vulnerable version of python-json-logger in the PyPI ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.