We stopped building Single Executable binaries for depscan from version 5.2.14 onwards. However, the historic versions (>= 0.0.1 <= 5.2.6) were built using an older, vulnerable version of PyInstaller and therefore are affected by CVE-2025-59042.
Mitigation
Use the PyPI package or the container images which do not use PyInstaller. If Single Executable binaries are needed, recreate them using the latest version of PyInstaller (>= 6.0.0) using the build scripts available in the depscan-bin repo.
pyinstaller command with arguments for Ubuntu and Windows are below:
https://github.com/owasp-dep-scan/depscan-bin/blob/fcd10c63f359d62f75d4b783efcbbbcc4c49369e/.github/workflows/ubuntu.yml#L58
https://github.com/owasp-dep-scan/depscan-bin/blob/fcd10c63f359d62f75d4b783efcbbbcc4c49369e/.github/workflows/win.yml#L49
Workarounds
If the mitigation options are not possible, ensuring proper permissions on directories containing security-sensitive executables (i.e., executables with setuid bit set) should mitigate the issue.
Reference
Last known vulnerable release: https://github.com/owasp-dep-scan/depscan-bin/releases/tag/v5.2.6
PyInstaller advisory: GHSA-p2xp-xx3r-mffc
We stopped building Single Executable binaries for depscan from version 5.2.14 onwards. However, the historic versions (>= 0.0.1 <= 5.2.6) were built using an older, vulnerable version of PyInstaller and therefore are affected by CVE-2025-59042.
Mitigation
Use the PyPI package or the container images which do not use PyInstaller. If Single Executable binaries are needed, recreate them using the latest version of PyInstaller (>= 6.0.0) using the build scripts available in the depscan-bin repo.
pyinstaller command with arguments for Ubuntu and Windows are below:
https://github.com/owasp-dep-scan/depscan-bin/blob/fcd10c63f359d62f75d4b783efcbbbcc4c49369e/.github/workflows/ubuntu.yml#L58
https://github.com/owasp-dep-scan/depscan-bin/blob/fcd10c63f359d62f75d4b783efcbbbcc4c49369e/.github/workflows/win.yml#L49
Workarounds
If the mitigation options are not possible, ensuring proper permissions on directories containing security-sensitive executables (i.e., executables with setuid bit set) should mitigate the issue.
Reference
Last known vulnerable release: https://github.com/owasp-dep-scan/depscan-bin/releases/tag/v5.2.6
PyInstaller advisory: GHSA-p2xp-xx3r-mffc