RCE in Pyinstaller

CVE-2025-59042

PyInstaller bundles a Python application and all its dependencies into a single package. Due to a special entry being appended to `sys.path` during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Pyinstaller — versions < 6.0.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-p2xp-xx3r-mffc (x_refsource_CONFIRM)
https://github.com/pyinstaller/pyinstaller/commit/f5adf291c8b832d5aff7632844f7e3ddf7ad4923 (x_refsource_MISC)