CVE-2025-59042: PyInstaller has local privilege escalation vulnerability

Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with PyInstaller < 6.0.0 may be tricked by an unprivileged attacker into executing arbitrary python code when all of the following conditions are met:

1. Application is built with PyInstaller < 6.0.0; both onedir and onefile mode are affected.
2. Optional bytecode encryption code feature was not enabled during the application build.
3. The attacker can create files/directories in the same directory where the executable is located.
4. The filesystem supports creation of files/directories that contain ? in their name (i.e., non-Windows systems).
5. The attacker is able to determine the offset at which the PYZ archive is embedded in the executable.

The attacker can create a directory (or a zip archive) next to the executable, with the name that matches the format used by PyInstaller’s bootloader to transmit information about the location of PYZ archive to the bootstrap script. If this directory (or zip archive) contains a python module whose name matches the name used by the optional bytecode encryption feature, this module will be loaded and executed by the bootstrap script (in the absence of the real, built-in module that is available when the bytecode-encryption feature is enabled). This results in arbitrary code execution that requires no modification of the executable itself.

If the executable is running with elevated privileges (for example, due to having the setuid bit set), the code in the injected module is also executed with the said elevated privileges, resulting in a local privilege escalation.