PyVista has Dependency Confusion Vulnerability in that leads to RCE
CVE-2025-61774

9.3CRITICAL

Key Information:

Vendor

Pyvista

Status
Pyvista
Vendor
CVE Published:
6 October 2025

What is CVE-2025-61774?

PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use--extra-index-url. But when --extra-index-url is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable.

Affected Version(s)

pyvista = 0.46.3

References

https://github.com/pyvista/pyvista/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pyvista/pyvista/commit/aabfb3db2b0d498...
x_refsource_MISC
https://github.com/pyvista/pyvista/blob/c96e1ddbe707fb7d3...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61774 : Remote Code Execution Vulnerability in PyVista Product by PyVista