GHSA-jxr6-qrxx-2ph2 – num2words

Package

Manager: pip
Name: num2words
Vulnerable Version: >=0.5.15 <=0.5.16

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

num2words subjected to phishing attack, two versions published containing malware The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.

Metadata

Created: 2025-07-31T19:33:29Z
Modified: 2025-07-31T19:33:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-jxr6-qrxx-2ph2/GHSA-jxr6-qrxx-2ph2.json
CWE IDs: ["CWE-506"]
Alternative ID: N/A
Finding: F448
Auto approve: 1