CVE-2025-61774
Last modified
CVE-2025-61774 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable.
Metrics
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2025-61774?
How severe is CVE-2025-61774?
How do I fix CVE-2025-61774?
Are you affected by CVE-2025-61774?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST