Platform
python
Component
pyinstaller
Opgelost in
6.0.1
6.0.0
CVE-2025-59042 describes a Privilege Escalation vulnerability affecting PyInstaller versions up to 5.9.0. This vulnerability allows an unprivileged attacker to execute arbitrary Python code within a PyInstaller-frozen application under specific conditions. The issue arises from how sys.path is managed during the bootstrap process, combined with the optional bytecode decryption feature. A fix is available in version 6.0.0.
The impact of CVE-2025-59042 is significant, as it enables privilege escalation. An attacker can leverage this vulnerability to execute arbitrary code with the same privileges as the PyInstaller-frozen application. This could lead to unauthorized access to sensitive data, system compromise, or even complete control over the affected system. The vulnerability is particularly concerning because it affects both 'onedir' and 'onefile' build modes of PyInstaller, making a wide range of applications potentially vulnerable. The requirement for optional bytecode encryption to be enabled narrows the attack surface somewhat, but still represents a substantial risk.
CVE-2025-59042 was publicly disclosed on 2025-09-10. While no public exploits are currently known, the vulnerability's nature and potential impact warrant careful attention. Its inclusion in the CVE list indicates a reasonable probability of exploitation. The EPSS score is likely to be medium, given the complexity of the conditions required for exploitation and the lack of readily available exploits. No KEV listing is currently available.
Organizations and developers using PyInstaller to package Python applications, particularly those utilizing the optional bytecode encryption feature and running versions prior to 6.0.0, are at risk. This includes those deploying applications in environments with limited user privileges, as the vulnerability allows for privilege escalation.
• python / supply-chain:
import sys
print(sys.path)• python / supply-chain:
Get-Process -Name python | Select-Object -ExpandProperty CommandLine• python / supply-chain:
ps aux | grep pythondisclosure
Exploit Status
EPSS
0.02% (3% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-59042 is to upgrade to PyInstaller version 6.0.0 or later, which addresses the vulnerability. If upgrading is not immediately feasible, consider temporarily disabling the optional bytecode encryption feature, though this reduces the protection it provides. Monitor application startup processes for unusual module loading behavior. Implement strict access controls and least privilege principles to limit the potential impact of a successful exploit. After upgrading, confirm the fix by building a test application with PyInstaller 6.0.0 and verifying that the sys.path manipulation does not result in arbitrary code execution.
Actualice PyInstaller a la versión 6.0.0 o superior. Si la actualización no es posible, asegúrese de que los directorios que contienen ejecutables sensibles a la seguridad tengan los permisos adecuados para mitigar el problema. Considere también la posibilidad de no usar la característica de cifrado de bytecode.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-59042 is a vulnerability in PyInstaller versions up to 5.9.0 that allows an attacker to execute arbitrary code by manipulating the application's startup path. It's rated HIGH severity.
You are affected if you are using PyInstaller versions 5.9.0 or earlier and have enabled the optional bytecode encryption feature. Check your PyInstaller version and update if necessary.
Upgrade to PyInstaller version 6.0.0 or later to resolve the vulnerability. If upgrading isn't possible immediately, consider disabling the optional bytecode encryption feature as a temporary workaround.
No public exploits are currently known, but the vulnerability's potential impact suggests a risk of future exploitation. Monitor your systems and apply the fix promptly.
Refer to the official PyInstaller project website and security advisories for the latest information and updates regarding CVE-2025-59042.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.