Critical Supply Chain Vulnerability in python-json-logger (CVE-2025-27607) Affects Versions 3.2.0 and 3.2.1

In the python-json-logger package (versions 3.2.0 and 3.2.1) a severe vulnerability CVE‑2025‑27607 was discovered, caused by the misuse of a missing dependency “msgspec-python313-pre”, leading to remote code execution (RCE) risk.

The issue arises because the “msgspec-python313-pre” package was removed from PyPI, allowing any attacker to publish a malicious package with the same name; when users install python-json-logger with the dev dependency in a Python 3.13 environment, the malicious code can be executed.

The vulnerability was identified by @omnigodz while researching supply‑chain attacks; the pyproject.toml of version 3.2.1 still declared the missing dependency.

Affected versions are 3.2.0 and 3.2.1. Researchers temporarily published a benign package with the same name and later removed it to prevent exploitation.

According to PyPI BigQuery data, python-json-logger is widely used with over 46 million monthly downloads; although no public exploitation evidence exists, the potential impact is significant.

The maintainers responded quickly by releasing version 3.3.0, which removes the vulnerable dependency; users of affected versions should upgrade immediately.

This incident highlights the importance of securing software‑package dependencies and maintaining vigilance over supply‑chain security in the open‑source ecosystem.