SCA: security update for pyinstaller (GHSA-p2xp-xx3r-mffc)

high Tenable Self-Hosted Container Security Plugin ID 435255

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PyInstaller bundles a Python application and all its dependencies into a single package. Due to a special
entry being appended to `sys.path` during the bootstrap process of a PyInstaller-frozen application, and
due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry
is still present in `sys.path`, an application built with PyInstaller < 6.0.0 may be tricked by an
unprivileged attacker into executing arbitrary python code when **all** of the following conditions are
met. First, the application is built with PyInstaller < 6.0.0; both onedir and onefile mode are affected.
Second, the optional bytecode encryption code feature was not enabled during the application build. Third,
the attacker can create files/directories in the same directory where the executable is located. Fourth,
the filesystem supports creation of files/directories that contain `?` in their name (i.e., non-Windows
systems). Fifth, the attacker is able to determine the offset at which the PYZ archive is embedded in the
executable. The attacker can create a directory (or a zip archive) next to the executable, with the name
that matches the format used by PyInstaller's bootloader to transmit information about the location of PYZ
archive to the bootstrap script. If this directory (or zip archive) contains a python module whose name
matches the name used by the optional bytecode encryption feature, this module will be loaded and executed
by the bootstrap script (in the absence of the real, built-in module that is available when the bytecode-
encryption feature is enabled). This results in arbitrary code execution that requires no modification of
the executable itself. If the executable is running with elevated privileges (for example, due to having
the `setuid` bit set), the code in the injected module is also executed with the said elevated privileges,
resulting in a local privilege escalation. PyInstaller 6.0.0 (f5adf291c8b832d5aff7632844f7e3ddf7ad4923)
removed support for bytecode encryption; this effectively removes the described attack vector, due to the
bootstrap script not attempting to load the optional module for bytecode-decryption anymore. PyInstaller
6.10.0 (cfd60b510f95f92cb81fc42735c399bb781a4739) reworked the bootstrap process to avoid (ab)using
`sys.path` for transmitting location of the PYZ archive, which further eliminates the possibility of
described injection procedure. If upgrading PyInstaller is not feasible, this issue can be worked around
by ensuring proper permissions on directories containing security-sensitive executables (i.e., executables
with `setuid` bit set) should mitigate the issue. (CVE-2025-59042)

See Also

https://github.com/advisories/GHSA-p2xp-xx3r-mffc

Plugin Details

Severity: High

ID: 435255

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 9/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.5

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.3

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-59042

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7

Threat Score: 4

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/10/2025

Vulnerability Publication Date: 9/9/2025

Reference Information

CVE: CVE-2025-59042

cwe: CWE-94