Publish GHSA-jxr6-qrxx-2ph2

Author: advisory-database[bot]

advisories/github-reviewed/2025/07/GHSA-jxr6-qrxx-2ph2/GHSA-jxr6-qrxx-2ph2.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jxr6-qrxx-2ph2",
+  "modified": "2025-07-31T19:33:29Z",
+  "published": "2025-07-31T19:33:29Z",
+  "aliases": [],
+  "summary": "num2words subjected to phishing attack, two versions published containing malware",
+  "details": "The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "num2words"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.5.15"
+            },
+            {
+              "last_affected": "0.5.16"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/num2words/PYSEC-2025-72.yaml"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/savoirfairelinux/num2words"
+    },
+    {
+      "type": "WEB",
+      "url": "https://nitter.tiekoetter.com/SFLinux/status/1949906299308953827"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-num2words-pypi-package-shows-signs-of-compromise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-506"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-07-31T19:33:29Z",
+    "nvd_published_at": null
+  }
+}