A critical vulnerability has been discovered in the popular Python object-oriented programming language package — python-json-logger — and has been assigned the code CVE-2025-27607. Alexander Kabanov, an expert on computer security at Gazinformservice, claims that this problem affects millions of users. Today, the Python development environment is deployed on more than 43 million PCs worldwide.
Image source: unsplash.com
The issue reportedly arose due to the removal of the msgspec-python313-pre dependency from the PyPI (Python Package Index) repository, which contains thousands of third-party Python modules. The attackers added a malicious package of the same name to the repository, which gives them the ability to remotely execute arbitrary code on vulnerable systems, which can lead to data compromise, information theft, and complete control over the infected PC.
«The ability to remotely access the system and execute arbitrary code due to a missing dependency shows how important it is to analyze the code and dependencies during each build, as well as promptly update the software,” Kabanov noted.
«Wikipedia defines Python as “a multi-paradigm, high-level, general-purpose programming language with dynamic strong typing and automatic memory management, focused on improving developer productivity, code readability, code quality, and portability.”
In 2024, Python overtook JavaScript for the first time to become the most popular programming language on GitHub. This growth is attributed to the rapid development of data science and the excitement around AI and machine learning. These changes reflect a shift in the industry as a whole, where there is an increasing focus on the application of artificial intelligence, including the creation of lighter models that require fewer computing resources.