Summary
PyInstaller has local privilege escalation vulnerability
Workarounds
If upgrading PyInstaller is no feasible, this issue can be worked around by ensuring proper permissions on directories containing security-sensitive executables (i.e., executables with setuid bit set) should mitigate the issue.
Impact
Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with PyInstaller < 6.0.0 may be tricked by an unprivileged attacker into executing arbitrary python code when all of the following conditions are met:
- Application is built with PyInstaller < 6.0.0; both onedir and onefile mode are affected.
- Optional bytecode encryption code feature was not enabled during the application build.
- The attacker can create files/directories in the same directory where the executable is located.
- The filesystem supports creation of files/directories that contain
?in their name (i.e., non-Windows systems). - The attacker is able to determine the offset at which the PYZ archive is embedded in the executable.
The attacker can create a directory (or a zip archive) next to the executable, with the name that matches the format used by PyInstaller's bootloader to transmit information about the location of PYZ archive to the bootstrap script. If this directory (or zip archive) contains a python module whose name matches the name used by the optional bytecode encryption feature, this module will be loaded and executed by the bootstrap script (in the absence of the real, built-in module that is available when the bytecode-encryption feature is enabled). This results in arbitrary code execution that requires no modification of the executable itself.
If the executable is running with elevated privileges (for example, due to having the setuid bit set), the code in the injected module is also executed with the said elevated privileges, resulting in a local privilege escalation.
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
PyInstaller 6.0.0 (f5adf291c8b832d5aff7632844f7e3ddf7ad4923) removed support for bytecode encryption; this effectively removes the described attack vector, due to the bootstrap script not attempting to load the optional module for bytecode-decryption anymore.
PyInstaller 6.10.0 (cfd60b510f95f92cb81fc42735c399bb781a4739) reworked the bootstrap process to avoid (ab)using sys.path for transmitting location of the PYZ archive, which further eliminates the possibility of described injection procedure.
Frequently Asked Questions
- What is CVE-2025-59042? CVE-2025-59042 is a high-severity code injection vulnerability in pyinstaller (pip), affecting versions < 6.0.0. It is fixed in 6.0.0. Untrusted input is evaluated as executable code within the application's runtime environment.
- Which versions of pyinstaller are affected by CVE-2025-59042? pyinstaller (pip) versions < 6.0.0 is affected.
- Is there a fix for CVE-2025-59042? Yes. CVE-2025-59042 is fixed in 6.0.0. Upgrade to this version or later.
- Is CVE-2025-59042 exploitable, and should I be worried? Whether CVE-2025-59042 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-59042 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-59042? Upgrade
pyinstallerto 6.0.0 or later.