cbcvebase.
CVE-2025-61774
published 2025-10-06

CVE-2025-61774: PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to…

PriorityP258critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.59%
43.9th percentile
PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianpython-pyvista
pyvistapyvista

Detection & IOCsextracted from sources · hover to see the quote

  • Detect use of `--extra-index-url` in pip install commands within PyVista project scripts/CI pipelines, which enables dependency confusion attacks by allowing PyPI to take precedence over the intended private/external index.
  • Monitor for unexpected or newly published PyPI packages matching internal/private package names used by PyVista 0.46.3 dependencies, especially packages not previously present on PyPI that suddenly appear with high version numbers.
  • Alert on pip installations resolving packages from PyPI that were previously only expected from a private/external index (dependency confusion indicator), particularly in environments running PyVista 0.46.3.
  • ·The specific package name(s) vulnerable to dependency confusion are not disclosed in the sources; defenders should audit PyVista 0.46.3 dependency files directly to identify which package is missing from PyPI.
  • ·No patched version is available as of time of publication; mitigation requires replacing `--extra-index-url` with `--index-url` (to prevent PyPI fallback) or publishing a placeholder/reserved package on PyPI.
  • ·The vulnerability is scoped as local in Debian's security tracker, which may affect severity assessment in some environments.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv9.3CRITICAL
vendor_debian9.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.