PyInstaller bundles a Python application and all its dependencies into a single package. Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with PyInstaller < 6.0.0 may be tricked by an unprivileged attacker into executing arbitrary python code when all of the following conditions are met. First, the application is built with PyInstaller < 6.0.0; both onedir and onefile mode are affected. Second, the optional bytecode encryption code feature was not enabled during the application build. Third, the attacker can create files/directories in the same directory where the executable is located. Fourth, the filesystem supports creation of files/directories that contain ? in their name (i.e., non-Windows systems). Fifth, the attacker is able to determine the offset at which the PYZ archive is embedded in the executable. The attacker can create a directory (or a zip archive) next to the executable, with the name that matches the format used by PyInstaller's bootloader to transmit information about the location of PYZ archive to the bootstrap script. If this directory (or zip archive) contains a python module whose name matches the name used by the optional bytecode encryption feature, this module will be loaded and executed by the bootstrap script (in the absence of the real, built-in module that is available when the bytecode-encryption feature is enabled). This results in arbitrary code execution that requires no modification of the executable itself. If the executable is running with elevated privileges (for example, due to having the setuid bit set), the code in the injected module is also executed with the said elevated privileges, resulting in a local privilege escalation. PyInstaller 6.0.0 (f5adf291c8b832d5aff7632844f7e3ddf7ad4923) removed support for bytecode encryption; this effectively removes the described attack vector, due to the bootstrap script not attempting to load the optional module for bytecode-decryption anymore. PyInstaller 6.10.0 (cfd60b510f95f92cb81fc42735c399bb781a4739) reworked the bootstrap process to avoid (ab)using sys.path for transmitting location of the PYZ archive, which further eliminates the possibility of described injection procedure. If upgrading PyInstaller is not feasible, this issue can be worked around by ensuring proper permissions on directories containing security-sensitive executables (i.e., executables with setuid bit set) should mitigate the issue.
CVE-2025-59042
This high-severity CVE scores 7.0 under NVD CVSS v3. EPSS exploit probability: 0.0%, top 93% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.0
- EG Score
- 7.0(medium)
- EPSS
- 1.7%
- KEV
- Not listed
Published
September 9, 2025
Last Modified
April 15, 2026
References (2)
- security-advisories@githubhttps://github.com/pyinstaller/pyinstaller/commit/f5adf291c8b832d5aff7632844f7e3ddf7ad4923
- security-advisories@githubhttps://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-p2xp-xx3r-mffc
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| pyinstaller | 1.5 ... 5.9.0 (47 versions) | 6.0.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 8× in last 7d / 38× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:09 UTCEPSS rescore
- 2026-07-08 15:15 UTCEPSS rescore
- 2026-07-07 13:45 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:30 UTCEPSS rescore
- 2026-07-02 17:01 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 03:46 UTCOSV refresh
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-23 21:32 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
Show 73 moreShow fewer
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:48 UTCEPSS rescore
- 2026-06-14 23:17 UTCEPSS rescore
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-08 15:32 UTCEG score recompute▲ 7.00
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-02 16:02 UTCOSV refresh
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-26 13:44 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-24 16:57 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-22 21:16 UTCEPSS rescore
- 2026-05-21 22:43 UTCEPSS rescore
- 2026-05-21 08:19 UTCEG score recompute
- 2026-05-21 06:36 UTCOSV refresh
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-18 21:31 UTCEPSS rescore
Related CVEs(same CWE)
Same CWE
10 shownCWE-94
- CVE-2006-1359NVD 0.0EG 9.0EPSS 99%NONE
- CVE-2005-1921NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2005-3302EG 7.3HIGH
- CVE-2005-1876EG 4.5MEDIUM
- CVE-2003-1599EG 0.0NONE
- CVE-2006-1318EG 0.0EPSS 96%NONE
- CVE-2006-1301EG 0.0EPSS 95%NONE
- CVE-2006-1308EG 0.0EPSS 95%NONE
- CVE-2006-1309EG 0.0EPSS 95%NONE
- CVE-2006-1304EG 0.0EPSS 95%NONE
Frequently asked(5)
What is CVE-2025-59042?
When was CVE-2025-59042 disclosed?
Is CVE-2025-59042 actively exploited?
What is the CVSS score of CVE-2025-59042?
How do I remediate CVE-2025-59042?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2025-59042
Is Your Infrastructure Affected by CVE-2025-59042?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.