CVE-2025-61774: 
Linux Debian vulnerability analysis and mitigation

PyVista version 0.46.3 is vulnerable to remote code execution (CVE-2025-61774) through dependency confusion. The vulnerability was discovered and disclosed on October 6, 2025. PyVista, which provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK), is affected when using specific package installation configurations (GitHub Advisory).

The vulnerability stems from the use of the '--extra-index-url' parameter in pip installation commands. When this parameter is used, pip checks the PyPI index first before checking external indexes. Since the package 'vtk-osmesa' is not published on PyPI, an attacker could publish a malicious version of the package on PyPI with a higher version number, which would be installed instead of the legitimate package from the intended external source. The vulnerability has been assigned a CVSS v4.0 score of 9.3 CRITICAL with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

The vulnerability can lead to remote code execution and supply chain attacks. If exploited, an attacker could execute malicious code by publishing a higher version of the package on PyPI, leading to the execution of attacker-controlled code during package installation (GitHub Advisory).

As of the time of publication, no patched version is available. Users should exercise caution when using '--extra-index-url' in pip installations and consider implementing additional security measures to verify package sources (NVD).