A recently disclosed supply chain vulnerability in the widely used python-json-logger library (versions 3.2.0–3.2.1) could have allowed remote code execution (RCE) due to a missing dependency, highlighting risks in open-source package management.
The flaw, tracked as GHSA-wmxh-pxcx-9w24, stemmed from the absence of the msgspec-python313-pre package, which was deleted by its maintainer, leaving the namespace vulnerable to typosquatting attacks.
Vulnerability Details
The issue arose when the python-json-logger included msgspec-python313-pre as an optional development dependency for Python 3.13 environments.
After the original package was removed from PyPI, the dependency name became available for registration by third parties.
Security researcher @omnigodz demonstrated that an attacker could claim the orphaned name and publish a malicious package, which would automatically install via the command pip install python-json-logger[dev].
While no evidence of exploitation exists, the potential impact was severe:
- 8.8 CVSS score (High severity initially, later downgraded to Low after PyPI intervened).
- Over 46 million monthly downloads of
python-json-loggerexposed to RCE risks. - Compromise scenarios included arbitrary code execution during installation or CI/CD pipeline runs.
Discovery and Mitigation
@omnigodz identified the flaw during research into dependency confusion attacks, publishing a benign proof-of-concept package (msgspec-python313-pre v0.0.0.1) to claim the namespace and prevent malicious takeovers.
Key timeline events include:
- 30 December 2024: Vulnerability introduced in
python-json-loggerv3.2.0. - 4 March 2025: Patch released in v3.3.0, removing the problematic dependency.
- 15 March 2025: PyPI admins permanently reserved the
msgspec-python313-prename, nullifying the threat.
Broader Implications
This incident underscores systemic risks in open-source ecosystems, particularly:
- Dependency Confusion: Unclaimed or abandoned package names create attack surfaces.
- CI/CD Pipeline Security: Development dependencies in automated workflows can become intrusion vectors.
- Response Coordination: The downgrade from High to Low severity after PyPI’s intervention illustrates the need for dynamic risk assessment.
Developers are urged to update to python-json-logger v3.3.0 and audit their dependency trees for similar issues.
The resolution highlights the critical role of platform maintainers like PyPI in mitigating supply chain threats through proactive namespace management.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw, tracked as GHSA-wmxh-pxcx-9w24, stemmed from the absence of the msgspec-python313-pre package.){kind=link}