This advisory has been withdrawn after the maintainers of loguru noted this issue is not a security vulnerability and the CVE has been revoked. We have stopped Dependabot alerts regarding this issue.
In versions of loguru up to and including 0.5.3 a lack of sanitization on log serialization can lead to arbitrary code execution. The maintainer disputes the issue, but has altered behavior of the library in commit 4b0070a4f30cbf6d5e12e6274b242b62ea11c81b. See https://github.com/Delgan/loguru/issues/563 for further discussion of the issue. The function in question is intended for internal use only, but is not restricted. This has been patched in version 0.6.0.
| Score | Percentile |
|---|---|
| 0.04% | 14.51% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-cvp7-c586-cmf4 ↗ |
| CVE | CVE-2022-0329 ↗ |
| CWE id | Name |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | loguru | <= 0.5.3 | 0.6.0 | — |