An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jdnA3LWM1ODYtY21mNM0l4g

Withdrawn: Code Injection in loguru


This advisory has been withdrawn after the maintainers of loguru noted this issue is not a security vulnerability and the CVE has been revoked. We have stopped Dependabot alerts regarding this issue.

Original Description

In versions of loguru up to and including 0.5.3 a lack of sanitization on log serialization can lead to arbitrary code execution. The maintainer disputes the issue, but has altered behavior of the library in commit 4b0070a4f30cbf6d5e12e6274b242b62ea11c81b. See for further discussion of the issue. The function in question is intended for internal use only, but is not restricted. This has been patched in version 0.6.0.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

Widthdrawn: about 2 years ago

Identifiers: GHSA-cvp7-c586-cmf4, CVE-2022-0329
References: Repository:
Blast Radius: 0.0

Affected Packages

Dependent packages: 1,874
Dependent repositories: 14,266
Downloads: 22,401,771 last month
Affected Version Ranges: <= 0.5.3
Fixed in: 0.6.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3
All unaffected versions: 0.6.0, 0.7.0, 0.7.1, 0.7.2