CVE-2025-61774
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-06

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-06
Last Modified
2025-10-08
Generated
2026-05-07
AI Q&A
2025-10-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61774
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pyvista pyvista 0.46.3
pyvista pyvista *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in PyVista version 0.46.3 involves remote code execution via dependency confusion. The software uses pip with the --extra-index-url option, which causes pip to check the official PyPI index first before an external index. One required package is not published on PyPI, so if an attacker publishes a malicious package with the same name but a higher version on PyPI, pip will install the attacker's package instead. This can lead to execution of malicious code and a supply chain attack.


How can this vulnerability impact me? :

This vulnerability can lead to remote code execution on your system if you install PyVista version 0.46.3 or its dependencies using pip with --extra-index-url. An attacker can exploit this by publishing a malicious package on PyPI that gets installed instead of the intended package, potentially compromising your system and data through a supply chain attack.


What immediate steps should I take to mitigate this vulnerability?

Since a patched version is unavailable, immediate mitigation steps include avoiding the use of the vulnerable PyVista version 0.46.3, especially in environments where pip installs packages using `--extra-index-url`. Additionally, carefully audit and restrict the use of external package indexes to prevent dependency confusion attacks. Monitoring and controlling package sources can reduce the risk of pulling malicious packages.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart